Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat,  4 Jul 2015 12:58:40 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: please REJECT CVE-2015-3199

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://projects.theforeman.org/issues/10469
> 
> "This was reported by Ori Rabin to foreman-security (thanks!) and a CVE
> identifier was filed under CVE-2015-3199, but it turned out this does
> not affect any released upstream version."
> 
> so it was effectively in an unreleased version, thus no need for CVE.

The scope of CVE isn't strictly limited to released upstream versions.
As mentioned at the bottom of the
http://openwall.com/lists/oss-security/2015/01/04/7 post, some
products sometimes have CVEs for this type of unreleased software,
whereas others do not. We feel that Foreman is probably in the latter
category.

http://theforeman.org/contribute.html and 10469 suggest that the
incorrect code was found only on the develop branch:
  
    - Master - latest stable release code
    - Develop - new features and bug fixes

    Master is frozen between major releases.

http://theforeman.org/introduction.html doesn't suggest that anyone
ships a product using code from the Foreman develop branch, but we
don't want to immediately rule out that possibility. This seems to be
a good choice for moving to the REJECT state, and we will most likely
do that next week unless there's an important reason to keep
CVE-2015-3199.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVmBAvAAoJEKllVAevmvmsXS4IAMYPSg8K5gDoSq+LV5lTS+na
HTpCQP4POO8NY8YcTQnKY4bnZOF13CXZqUzGxpUiw1uwJlH3yeJI6c3J/EFfAC/s
jnZgLBQ4PgDu3wk3gtIwfQROFQPz07TsAAKZj36mT/v7zA/7UhgVjfqCK9iZxwGd
ejN8Xcfz6ATKyNZvuxxPblqhb4FSdl2cyaQ87VRUVgDcdWnHrcWlimyEN9muNjX6
zeBIYohDVnkkktOu3OeKMkKOyH1ejHNJ3zxcKZMbUpo9fwmRrlssLEslqNbEzIWq
Iv+Pruul3SIENuUVpZgYjq6fbB1sbRuGKBHzxApqVKLZOAXkFAXuPyYf4WqJYlc=
=jqn1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ