Date: Tue, 7 Oct 2014 20:29:37 -0400 (EDT) From: cve-assign@...re.org To: kseifried@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Discussion: information leakage from server and client software - CVE/hardening/other? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > we could for example have challenged CVE-2011-4083 for example saying > that it is useful to us Our perspective is that, on balance, that's a preferable way to proceed. Probably very few people outside of Red Hat would understand whether "private entitlement keys" tend to cause problems for customers. If you had a situation where: - disclosure of an entitlement key didn't matter much because the key is node-locked to the hardware of a specific customer and - bugs sometimes caused customers to have a wrong key then you probably wouldn't want a third party obtaining a CVE ID based on a guess that "entitlement key" seems roughly the same as sending the full contents of the /root/.ssh directory. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUNITCAAoJEKllVAevmvms/R0IAJuCOq/RlCFALooKjS9t8NsQ o4anQNsySmh3YYB8yW8siqf2j0oOgL/yv2JIuz0YlMRO9wG58jz7Ef5mt3CHbNDf jiaMca2237fcpWa1DWTYeYX9p3yNuiV+LulSNlT4HjF+1SCrprFbaciGACjgFrnk 74X0HNzai8I3TLZyKwo9Phy4hIfrC9j+j6TS0d84QjxpiM4rRmbm0ss1UaUlR918 a5Kk2oefMF/uD3w5HgOTcAd4QmpHpXS701a7ebDbOcasUTC0jIJEp886S07ZFZa6 SOvp8VCF6dEzPsqLlG/PHcOyRzbt0pkDyDz+H4IenxgJjFmnfLQyjSgnWSfpZNA= =KayV -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ