Date: Wed, 30 Jul 2014 20:08:45 -0400 (EDT) From: cve-assign@...re.org To: stu@...cehopper.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, hanno@...eck.de Subject: Re: CVE request: libressl before 2.0.2 under linux PRNG failure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> I see a number of web pages relating to this issue are mentioning that >> it has already been assigned CVE-2014-2970, can anyone throw light on this? > At MITRE, we (obviously) know where CVE-2014-2970 came from, and we'll > send information here about the resolution as soon as it happens. We've since learned that nobody ever assigned CVE-2014-2970 to that LibreSSL issue, and apparently every appearance of CVE-2014-2970 in "a number of web pages" was ultimately the result of a miscommunication outside of MITRE. A complication is that CVE-2014-2970 had been assigned to a different issue, and that issue isn't yet public. What you should do is: - if you're part of the embargo audience that has been using CVE-2014-2970 for a private vulnerability, use CVE-2014-5139 instead - if you're not part of that embargo audience, all we can suggest is that it's very likely that you'll see a public disclosure of CVE-2014-5139 in the future Also: - MITRE is not part of the embargo audience and does not know what the CVE-2014-5139 vulnerability is - MITRE has separately communicated the CVE ID change to the organization that originally assigned CVE-2014-2970 Soon, the MITRE CVE web site will have this for CVE-2014-2970: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality for certain process-bifurcation use cases that might arise in future LibreSSL-based applications. There is no CVE ID associated with this LibreSSL code change. As of 20140730, CVE-2014-5139 is an undisclosed vulnerability in a different product, with ongoing vulnerability coordination that had previously used the CVE-2014-2970 ID. The MITRE CVE web site entry for CVE-2014-5139 will have the details of the issue after the public disclosure happens. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT2YhdAAoJEKllVAevmvms8ucH/RR5XB+vo3gsdgZttTYTxC9G jYODUmi6BBg3FwQSPiqny8DWbvSvZhZaNoDKrf8EdfJthc9dSlJ1hoFogblqj79U meYqvTWFdaVkGPiBFbX293g7J/VDQVpcXxYI24Kc+MR8OAfu4jV9imeZZ62iouuk 4BbhvtUD2yFqag5S3YUqhFfo3FIOQVYyh+M52927HzQSTDheUWCapHZfUP7lOYAL vQeyDSayP5QNcLpjeKhshS5/L1aTDOMY4KreYDSvs/0+wgvE+FexqyjwzeoSpyGr HHkrIyuIIHPT3aTbSvaxAgso51fPRKCEZsR7eh2XFnePEi+Cq6KysTQhASC1iWM= =3pTv -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ