Date: Thu, 29 Jan 2015 00:03:00 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com, Mitre CVE assign department <cve-assign@...re.org> Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) On 28/01/15 06:57 PM, Huzaifa Sidhpurwala wrote: > On 01/29/2015 03:17 AM, Florian Weimer wrote: > >>> Use CVE-2012-6686 for "unbound alloca use in glob_in_dir" as covered >>> by Red Hat Bugzilla ID 797096. >> >> Oh, it seems Huzaifa posted the wrong Bugzilla reference. >> > > Yes, sorry wrong bz. > >> We still need assignment for this fix: >> >> <https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7> >> >> The matching Red Hat Bugzilla bug is: >> >> <https://bugzilla.redhat.com/show_bug.cgi?id=981942> > The above is the correct bug with the corresponding impact at: > https://bugzilla.redhat.com/show_bug.cgi?id=1186614 > > MITRE, > > Can we still use the above CVE for this issue? This would be a bad idea and lead to much confusion, especially for people that have already consumed this CVE and written up reports that in turn have been shipped to other people/etc. Can we REJECT this CVE if the issue is not a security issue, obviously if it is a security issue we should keep this CVE. Additionally if we can get a new CVE for Bz981942 that would be great, thanks! >> >> I haven't yet seen an upstream bug for it; this change happened before >> upstream required bugs being filed for all user-visible changes. >> > > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ