Date: Mon, 05 Jan 2015 08:33:49 -0700 From: "Vincent Danen" <vdanen@...hat.com> To: "Salvatore Bonaccorso" <carnil@...ian.org> Cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: CVE request: denial of service flaw in firebird On 01/03/2015, at 21:32 PM, Salvatore Bonaccorso wrote: > Hi, > > On Sat, Jan 03, 2015 at 06:59:18PM -0500, cve-assign@...re.org wrote: >> >>> I've not seen a CVE for this; could one be assigned? Thanks. >>> >>> It was found that an unauthenticated remote attacker could send a >>> malformed network packet to a firebird server, which would cause the >>> server to crash. >>> >>> http://www.firebirdsql.org/en/news/security-updates-for-v2-1-and-v2-5-series-66011/ >>> http://tracker.firebirdsql.org/browse/CORE-4630 >>> http://sourceforge.net/p/firebird/code/60331/ >>> https://bugs.mageia.org/show_bug.cgi?id=14726 >>> https://bugzilla.redhat.com/show_bug.cgi?id=1172445 >> >> Use CVE-2014-9492. > > I have a question back on this assignment. Initially CORE-4630 did not > had a CVE reference in the title at leat afair, but some time ago the > reference to CVE-2014-9323 appeared. > > We used then this reference in Debian to track the issue, but also > others have it: > > https://bugzilla.suse.com/show_bug.cgi?id=910653 > https://bugzilla.redhat.com/show_bug.cgi?id=1172445 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9323 > https://security-tracker.debian.org/tracker/CVE-2014-9323 > > Should CVE-2014-9492 be rejected and CVE-2014-9323 to be still > continued to be used? Thanks for this, Salvatore. I hadn't noticed that the CVE was assigned. I think 9492 should be rejected; I don't know where 9323 came from but we have already released errata with that CVE name for Fedora and it looks like many others (as you noted) are also using 9323. -- Vincent Danen / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ