Date: Wed, 12 Aug 2015 14:32:41 +0200 From: Florian Weimer <fweimer@...hat.com> To: ISC Security Officer <security-officer@....org>, Assign a CVE Identifier <cve-assign@...re.org> Cc: oss-security@...ts.openwall.com Subject: Is CVE-2015-4650 a duplicate, leak, or just a typo? Some documents use CVE-2015-4650 to refer to a vulnerability in BIND. Apparently, they source back to <https://www.alienvault.com/forums/discussion/5706/security-advisory-alienvault-v5-1-addresses-6-vulnerabilities> which says: “ Debian Security Update AlienVault ID: ENG-101265 Description: name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone. CVE ID: CVE-2015-4650 CVSS v2 Base Score: 7.8 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:N) ” That description seems to match CVE-2015-4620, so I'm leaning towards typo: <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4620> I don't know how this came into being. Debian does not appear responsible, the immutable list archives use the correct ID: <https://lists.debian.org/debian-lts-announce/2015/07/msg00008.html> <https://lists.debian.org/debian-security-announce/2015/msg00200.html> Comments appreciated. -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ