Date: Mon, 30 Jun 2014 10:54:11 -0400 (EDT) From: cve-assign@...re.org To: mmcallis@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE requests: nagios check_dhcp plug-in: read parts of INI config files belonging to root -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a somewhat unusual situation for CVE because there are two cases in which a researcher reported a subset of the problem, and then a vendor fix was announced that apparently addressed the problem without modifying the component mentioned by the researcher. > http://seclists.org/fulldisclosure/2014/May/74 > > This was fixed in version 2.0.2: > > <http://nagios-plugins.org/nagios-plugins-2-0-2-released/> Use CVE-2014-4701 for the report in http://seclists.org/fulldisclosure/2014/May/74 stating that check_dhcp is affected. (http://nagios-plugins.org/nagios-plugins-2-0-2-released/ is also an applicable reference for this CVE.) Use CVE-2014-4702 for the report in http://nagios-plugins.org/nagios-plugins-2-0-2-released/ stating that check_icmp is affected. This is new vector information announced at a different time by a different party. (From a practical perspective, someone might have been tracking Nagios Plugins security on the basis of fulldisclosure posts, and decided to "fix" http://seclists.org/fulldisclosure/2014/May/74 by simply deleting the check_dhcp plugin. In this case, CVE-2014-4702 is useful because that installation was still vulnerable after that CVE-2014-4701 remediation action.) > http://seclists.org/fulldisclosure/2014/Jun/141 > > This was fixed in version 2.0.3: > > <http://nagios-plugins.org/nagios-plugins-2-0-3-released/> Use CVE-2014-4703 for the report in http://seclists.org/fulldisclosure/2014/Jun/141 stating that check_dhcp is affected. (http://nagios-plugins.org/nagios-plugins-2-0-3-released/ is also an applicable reference for this CVE.) Here, the vendor did not announce any additional vector information (and only referred to "the SUID vulnerability discovered by David Golunski") so we can't assign a fourth CVE ID for the http://nagios-plugins.org/nagios-plugins-2-0-3-released/ post. It's possible that this is actually a parallel situation, so if anyone wants to announce an issue in 2.0.2 that's not specifically about check_dhcp, an additional CVE ID could be assigned. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTsXlEAAoJEKllVAevmvmsIs8H/0nIgPWQJWEXPckNuYNPwAof Cxedes/xZ4Btuw+90PfGPPIrPaN6JJkg9+kFBEMLMQWy/AwTLjHkU7CMmVB7kTtx DPPkQX7wPvRxM1ZcWA4zonsa5h/eGqiXBlrkl/C8qzsuPxGhRC+SVLDu8tIarQuw CPHS4haMnMSPMAnY3Iqaproh0Bm3f/5q+3wDpsVKJS/YZX/iS+EgPpJ/T+1BJwOu NLEfIuMAHiV99nA0OzZpLy9rClfE7Mhurfg+u3s2TKVTtjoEWddyWXnP4iHdhtU1 YvOLW3uMrVj7qQHR8ZHtpPD3smpHS6wU7ZPsN6qQkkKwYV3NU1/Yid+Ygv3Bitc= =N17g -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ