Date: Wed, 6 Aug 2014 23:07:10 +0100 From: Stuart Henderson <stu@...cehopper.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org, hanno@...eck.de Subject: Re: Re: CVE request: libressl before 2.0.2 under linux PRNG failure On 2014/07/31 10:59, Stuart Henderson wrote: > On 2014/07/30 20:08, cve-assign@...re.org wrote: > > >> I see a number of web pages relating to this issue are mentioning that > > >> it has already been assigned CVE-2014-2970, can anyone throw light on this? > > > > > At MITRE, we (obviously) know where CVE-2014-2970 came from, and we'll > > > send information here about the resolution as soon as it happens. > > > > We've since learned that nobody ever assigned CVE-2014-2970 to that > > LibreSSL issue, and apparently every appearance of CVE-2014-2970 in "a > > number of web pages" was ultimately the result of a miscommunication > > outside of MITRE. > > > > A complication is that CVE-2014-2970 had been assigned to a different > > issue, and that issue isn't yet public. What you should do is: > > > > - if you're part of the embargo audience that has been using > > CVE-2014-2970 for a private vulnerability, use CVE-2014-5139 > > instead > > > > - if you're not part of that embargo audience, all we can suggest is > > that it's very likely that you'll see a public disclosure of > > CVE-2014-5139 in the future > > Interesting, thanks. So how does a reporter get hold of an embargoed CVE > number and mistakenly apply it to libressl? It seems strange to have > pulled this number out of thin air. And how long do these embargoes > last, this seems a relatively long time to be sitting on a bug which is > important enough to have been embargoed. > > I await the announcement of CVE-2014-5139 with interest! Aha - and it's been announced. "Crash with SRP ciphersuite in Server Hello message".
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ