Date: Wed, 9 Dec 2015 14:15:34 -0700 From: Kurt Seifried <kseifried@...hat.com> To: "Evans, Jonathan L." <jevans@...re.org> Cc: oss-security <oss-security@...ts.openwall.com>, CVE ID Requests <cve-assign@...re.org> Subject: Re: CVE for git issue - please use CVE-2015-7545 I'm pretty sure people expect git recursive fetch to result in data being fetched (potentially quite a lot) but that it does NOT result in arbitrary command/code execution. As such (the potential for remote code execution) we feel this is a security issue, hence the security updates from Red Hat. On Wed, Dec 9, 2015 at 1:26 PM, Evans, Jonathan L. <jevans@...re.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > We are not certain if the assignment of CVE-2015-7545 is correct. The > vendor > may not officially support the "blindly enable recursive fetch" scenario, > i.e. > the user is expected to accept the risk of executing a recursive fetch > from an > untrusted source, and the change should be considered a security hardening > feature for the convenience of their users. > > MITRE has been actively working with the upstream vendor to determine the > appropriate number of CVEs for the vulnerabilities. There was no > oss-security > post from us because the context of MITRE's work was related to previous > private > communication from and to the upstream vendor. > > In the future, we plan to respond quickly to requests like the initial one, > asking the requester for the appropriate information needed to assign a > CVE ID. > > - -- > Jonathan Evans > CVE assignment team, MITRE CVE Numbering Authority M/S M300 > 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through > http://cve.mitre.org/cve/request_id.html ] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJWaI5KAAoJEL54rhJi8gl5WDsQAL1khrVZkPxjgxauyLhaaPKA > +zQogmqLzJmAlx6JNj5ehKNvSkPFX9J4TzJ7IyYdEiVaeoUvbWJHu+CCNfmsiEXv > jmMDCfMOTeHUhHBi0DaeAklspzN11a78m+y4LV1ixB2/75PRHapNR36Ff2OLB6L0 > PDCW3Kwl0QBRWg+ezF4SeOfJNqCYUaat6oW16wgL33b1NTPveP7Iop0INHwb/ebd > UEak3vZTeHowT0IP0/5wbUyqEmYXONvUuXfRvLuQQzVL2qfValAN6KMbFq2mjYEm > SeGj9uNTBf16ATF/BboN3IWElBtGLfIwY3Rleu8NtMmKruR8rEP9tqDZKdnZI50K > +c6S3sdqlfzc8F2m99dGE5FuXe/qY0WfALo8vDgNs58zR5uh23rIIGZwgU4zxl32 > V71ssQr/hbfxen8u3ZJ258bRVmhh8SFyykKznYdC0iq1Zf58oIwmUgja5AbNNkqI > 39jeBeAVrdmmMIMrrw+hYDRRFcRXHRkGM95gMCSjBSHY68/duKfN+G3CIRntxtek > /Cu3IIy50FybOfOERdy+NBsQV8yK2LR+PXWXMmik0JgYMRXkwH6zSf5opbwGDWQb > 0nI+HIKSUXdmjGHyVE8YqgeFcb52W9+EbdybuRkdbZq09rUWUr94FPjR73VNA8Yj > 755moYSPJKuOLPJK33pi > =IV1v > -----END PGP SIGNATURE----- > -- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ