Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 30 Jul 2014 20:08:45 -0400 (EDT)
From: cve-assign@...re.org
To: stu@...cehopper.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, hanno@...eck.de
Subject: Re: CVE request: libressl before 2.0.2 under linux PRNG failure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> I see a number of web pages relating to this issue are mentioning that
>> it has already been assigned CVE-2014-2970, can anyone throw light on this?

> At MITRE, we (obviously) know where CVE-2014-2970 came from, and we'll
> send information here about the resolution as soon as it happens.

We've since learned that nobody ever assigned CVE-2014-2970 to that
LibreSSL issue, and apparently every appearance of CVE-2014-2970 in "a
number of web pages" was ultimately the result of a miscommunication
outside of MITRE.

A complication is that CVE-2014-2970 had been assigned to a different
issue, and that issue isn't yet public. What you should do is:

  - if you're part of the embargo audience that has been using
    CVE-2014-2970 for a private vulnerability, use CVE-2014-5139
    instead

  - if you're not part of that embargo audience, all we can suggest is
    that it's very likely that you'll see a public disclosure of
    CVE-2014-5139 in the future

Also:

  - MITRE is not part of the embargo audience and does not know what
    the CVE-2014-5139 vulnerability is

  - MITRE has separately communicated the CVE ID change to the
    organization that originally assigned CVE-2014-2970

Soon, the MITRE CVE web site will have this for CVE-2014-2970:

  ** REJECT **

  DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2014-5139.  Reason:
  This candidate is a duplicate of CVE-2014-5139, and has also been used
  to refer to an unrelated topic that is currently outside the scope of
  CVE.  This unrelated topic is a LibreSSL code change adding
  functionality for certain process-bifurcation use cases that might
  arise in future LibreSSL-based applications.  There is no CVE ID
  associated with this LibreSSL code change.  As of 20140730,
  CVE-2014-5139 is an undisclosed vulnerability in a different product,
  with ongoing vulnerability coordination that had previously used the
  CVE-2014-2970 ID.


The MITRE CVE web site entry for CVE-2014-5139 will have the details
of the issue after the public disclosure happens.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT2YhdAAoJEKllVAevmvms8ucH/RR5XB+vo3gsdgZttTYTxC9G
jYODUmi6BBg3FwQSPiqny8DWbvSvZhZaNoDKrf8EdfJthc9dSlJ1hoFogblqj79U
meYqvTWFdaVkGPiBFbX293g7J/VDQVpcXxYI24Kc+MR8OAfu4jV9imeZZ62iouuk
4BbhvtUD2yFqag5S3YUqhFfo3FIOQVYyh+M52927HzQSTDheUWCapHZfUP7lOYAL
vQeyDSayP5QNcLpjeKhshS5/L1aTDOMY4KreYDSvs/0+wgvE+FexqyjwzeoSpyGr
HHkrIyuIIHPT3aTbSvaxAgso51fPRKCEZsR7eh2XFnePEi+Cq6KysTQhASC1iWM=
=3pTv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.