Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 30 Jul 2014 20:08:45 -0400 (EDT)
Subject: Re: CVE request: libressl before 2.0.2 under linux PRNG failure

Hash: SHA1

>> I see a number of web pages relating to this issue are mentioning that
>> it has already been assigned CVE-2014-2970, can anyone throw light on this?

> At MITRE, we (obviously) know where CVE-2014-2970 came from, and we'll
> send information here about the resolution as soon as it happens.

We've since learned that nobody ever assigned CVE-2014-2970 to that
LibreSSL issue, and apparently every appearance of CVE-2014-2970 in "a
number of web pages" was ultimately the result of a miscommunication
outside of MITRE.

A complication is that CVE-2014-2970 had been assigned to a different
issue, and that issue isn't yet public. What you should do is:

  - if you're part of the embargo audience that has been using
    CVE-2014-2970 for a private vulnerability, use CVE-2014-5139

  - if you're not part of that embargo audience, all we can suggest is
    that it's very likely that you'll see a public disclosure of
    CVE-2014-5139 in the future


  - MITRE is not part of the embargo audience and does not know what
    the CVE-2014-5139 vulnerability is

  - MITRE has separately communicated the CVE ID change to the
    organization that originally assigned CVE-2014-2970

Soon, the MITRE CVE web site will have this for CVE-2014-2970:

  ** REJECT **

  DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2014-5139.  Reason:
  This candidate is a duplicate of CVE-2014-5139, and has also been used
  to refer to an unrelated topic that is currently outside the scope of
  CVE.  This unrelated topic is a LibreSSL code change adding
  functionality for certain process-bifurcation use cases that might
  arise in future LibreSSL-based applications.  There is no CVE ID
  associated with this LibreSSL code change.  As of 20140730,
  CVE-2014-5139 is an undisclosed vulnerability in a different product,
  with ongoing vulnerability coordination that had previously used the
  CVE-2014-2970 ID.

The MITRE CVE web site entry for CVE-2014-5139 will have the details
of the issue after the public disclosure happens.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ