Date: Wed, 9 Dec 2015 20:26:42 +0000 From: "Evans, Jonathan L." <jevans@...re.org> To: Kurt Seifried <kseifried@...hat.com>, oss-security <oss-security@...ts.openwall.com> CC: CVE ID Requests <cve-assign@...re.org> Subject: RE: CVE for git issue - please use CVE-2015-7545 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are not certain if the assignment of CVE-2015-7545 is correct. The vendor may not officially support the "blindly enable recursive fetch" scenario, i.e. the user is expected to accept the risk of executing a recursive fetch from an untrusted source, and the change should be considered a security hardening feature for the convenience of their users. MITRE has been actively working with the upstream vendor to determine the appropriate number of CVEs for the vulnerabilities. There was no oss-security post from us because the context of MITRE's work was related to previous private communication from and to the upstream vendor. In the future, we plan to respond quickly to requests like the initial one, asking the requester for the appropriate information needed to assign a CVE ID. - -- Jonathan Evans CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWaI5KAAoJEL54rhJi8gl5WDsQAL1khrVZkPxjgxauyLhaaPKA +zQogmqLzJmAlx6JNj5ehKNvSkPFX9J4TzJ7IyYdEiVaeoUvbWJHu+CCNfmsiEXv jmMDCfMOTeHUhHBi0DaeAklspzN11a78m+y4LV1ixB2/75PRHapNR36Ff2OLB6L0 PDCW3Kwl0QBRWg+ezF4SeOfJNqCYUaat6oW16wgL33b1NTPveP7Iop0INHwb/ebd UEak3vZTeHowT0IP0/5wbUyqEmYXONvUuXfRvLuQQzVL2qfValAN6KMbFq2mjYEm SeGj9uNTBf16ATF/BboN3IWElBtGLfIwY3Rleu8NtMmKruR8rEP9tqDZKdnZI50K +c6S3sdqlfzc8F2m99dGE5FuXe/qY0WfALo8vDgNs58zR5uh23rIIGZwgU4zxl32 V71ssQr/hbfxen8u3ZJ258bRVmhh8SFyykKznYdC0iq1Zf58oIwmUgja5AbNNkqI 39jeBeAVrdmmMIMrrw+hYDRRFcRXHRkGM95gMCSjBSHY68/duKfN+G3CIRntxtek /Cu3IIy50FybOfOERdy+NBsQV8yK2LR+PXWXMmik0JgYMRXkwH6zSf5opbwGDWQb 0nI+HIKSUXdmjGHyVE8YqgeFcb52W9+EbdybuRkdbZq09rUWUr94FPjR73VNA8Yj 755moYSPJKuOLPJK33pi =IV1v -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ