Date: Tue, 1 Sep 2015 22:37:04 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com>, cve-assign@...re.org, security@...nafs.org, security@...ba.org Subject: CVE REJECT CVE-2015-3287 So I know we said no more CVE rejects here but this one is public and already a mess. Long story short I assigned the following CVE's to OpenAFS: CVE-2015-3282 OpenAFS: vos leaks stack data onto the wire in the clear when creating vldb entries CVE-2015-3283 OpenAFS: bos commands can be spoofed, including some which alter server state CVE-2015-3284 OpenAFS: pioctls leak kernel memory CVE-2015-3285 OpenAFS: kernel pioctl support for OSD command passing can trigger a panic CVE-2015-3286 OpenAFS: Solaris grouplist modifications for PAGs can panic or overwrite memory however they also used CVE-2015-3287 for http://www.openafs.org/pages/security/OPENAFS-SA-2015-006.txt I definitely did NOT assign CVE-2015-3287 to OpenAFS, I double checked my email to them and the commits to our file that we use to handle CVE assignments. I did in fact assign CVE-2015-3287 to Samba (for a still embargoed issue). I was notified of this duplicate issue by Samba (basically asking me what was going on). Mitre: can you please REJECT CVE-2015-3287 and assign a NEW CVE for the OpenAFS issue. I have assigned Samba a new CVE for their embargoed issue already. Thanks. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ