Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 6 Aug 2014 23:07:10 +0100
From: Stuart Henderson <stu@...cehopper.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, hanno@...eck.de
Subject: Re: Re: CVE request: libressl before 2.0.2 under
 linux PRNG failure

On 2014/07/31 10:59, Stuart Henderson wrote:
> On 2014/07/30 20:08, cve-assign@...re.org wrote:
> > >> I see a number of web pages relating to this issue are mentioning that
> > >> it has already been assigned CVE-2014-2970, can anyone throw light on this?
> > 
> > > At MITRE, we (obviously) know where CVE-2014-2970 came from, and we'll
> > > send information here about the resolution as soon as it happens.
> > 
> > We've since learned that nobody ever assigned CVE-2014-2970 to that
> > LibreSSL issue, and apparently every appearance of CVE-2014-2970 in "a
> > number of web pages" was ultimately the result of a miscommunication
> > outside of MITRE.
> > 
> > A complication is that CVE-2014-2970 had been assigned to a different
> > issue, and that issue isn't yet public. What you should do is:
> > 
> >   - if you're part of the embargo audience that has been using
> >     CVE-2014-2970 for a private vulnerability, use CVE-2014-5139
> >     instead
> > 
> >   - if you're not part of that embargo audience, all we can suggest is
> >     that it's very likely that you'll see a public disclosure of
> >     CVE-2014-5139 in the future
> 
> Interesting, thanks. So how does a reporter get hold of an embargoed CVE
> number and mistakenly apply it to libressl? It seems strange to have
> pulled this number out of thin air. And how long do these embargoes
> last, this seems a relatively long time to be sitting on a bug which is
> important enough to have been embargoed.
> 
> I await the announcement of CVE-2014-5139 with interest!

Aha - and it's been announced. "Crash with SRP ciphersuite in Server Hello message".

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ