Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 30 Jun 2014 10:54:11 -0400 (EDT)
Subject: Re: CVE requests: nagios check_dhcp plug-in: read parts of INI config files belonging to root

Hash: SHA1

This is a somewhat unusual situation for CVE because there are two
cases in which a researcher reported a subset of the problem, and then
a vendor fix was announced that apparently addressed the problem
without modifying the component mentioned by the researcher.

> This was fixed in version 2.0.2:
> <>

Use CVE-2014-4701 for the report in stating that check_dhcp
is affected. (
is also an applicable reference for this CVE.)

Use CVE-2014-4702 for the report in stating that
check_icmp is affected. This is new vector information announced at a
different time by a different party.

(From a practical perspective, someone might have been tracking Nagios
Plugins security on the basis of fulldisclosure posts, and decided to
"fix" by simply
deleting the check_dhcp plugin. In this case, CVE-2014-4702 is useful
because that installation was still vulnerable after that
CVE-2014-4701 remediation action.)

> This was fixed in version 2.0.3:
> <>

Use CVE-2014-4703 for the report in stating that
check_dhcp is affected.
( is also an
applicable reference for this CVE.)

Here, the vendor did not announce any additional vector information
(and only referred to "the SUID vulnerability discovered by David
Golunski") so we can't assign a fourth CVE ID for the post. It's
possible that this is actually a parallel situation, so if anyone
wants to announce an issue in 2.0.2 that's not specifically about
check_dhcp, an additional CVE ID could be assigned.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ