Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Sep 2015 22:37:04 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>, cve-assign@...re.org, 
	security@...nafs.org, security@...ba.org
Subject: CVE REJECT CVE-2015-3287

So I know we said no more CVE rejects here but this one is public and
already a mess.

Long story short I assigned the following CVE's to OpenAFS:

CVE-2015-3282 OpenAFS: vos leaks stack data onto the wire in the clear when
creating vldb entries
CVE-2015-3283 OpenAFS: bos commands can be spoofed, including some which
alter server state
CVE-2015-3284 OpenAFS: pioctls leak kernel memory
CVE-2015-3285 OpenAFS: kernel pioctl support for OSD command passing can
trigger a panic
CVE-2015-3286 OpenAFS: Solaris grouplist modifications for PAGs can panic
or overwrite memory

however they also used CVE-2015-3287 for
http://www.openafs.org/pages/security/OPENAFS-SA-2015-006.txt

I definitely did NOT assign CVE-2015-3287 to OpenAFS, I double checked my
email to them and the commits to our file that we use to handle CVE
assignments.

I did in fact assign CVE-2015-3287 to Samba (for a still embargoed issue).
I was notified of this duplicate issue by Samba (basically asking me what
was going on).

Mitre: can you please REJECT CVE-2015-3287 and assign a NEW CVE for the
OpenAFS issue. I have assigned Samba a new CVE for their embargoed issue
already. Thanks.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ