Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue,  2 Feb 2016 14:36:06 -0500 (EST)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Socat security advisory 7 - Created new 2048bit DH modulus

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>   In the OpenSSL address implementation the hard coded 1024 bit DH p
>   parameter was not prime. The effective cryptographic strength of a key
>   exchange using these parameters was weaker than the one one could get by
>   using a prime p. Moreover, since there is no indication of how these
>   parameters were chosen, the existence of a trapdoor that makes possible
>   for an eavesdropper to recover the shared secret from a key exchange that
>   uses them cannot be ruled out.

This was sent to the oss-security list as a published advisory, not as
a CVE ID request. We would expect that one or more parties (e.g.,
Linux distributions) are planning to re-announce this to a different
audience in a way that would make at least one CVE ID especially
useful. Our question is about whether anyone needs two CVE IDs.

A CVE ID must be for a specific vulnerability (although we realize
that the CVE ID may often be used to track the update). Here, there
can be a CVE ID for the "was not prime" finding in the sense that p is
supposed to be prime, and a non-prime value is an implementation error
regardless of any other details of the situation. With the currently
published information, we do not see a way to generate a second CVE ID
for something related to "no indication of how these parameters were
chosen" or "cannot be ruled out."

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWsQPKAAoJEL54rhJi8gl57rMQAJdoD4DfUlHFbSupu548iP0N
3c7E8nb497rmUP6cpA/TiTECHvgglIINK/xQ8a5Eb3dBVU9rLoZewwZYyDAnItmp
cfM8F58criX0vycjv8RBh01+ZlZg8pLFNmj5O3Xew/D6qJp/mJfm80P4UE4roThh
Xh/4GgwNpHCMsUyerCmNGVSEkMS/Gf3ixoGWLGWLyquw/mZywM4EdD8qjP1SlLKA
S3nCh+1PO+CtCBNtHzWMpXtc+QD+mUTf/i5MZj9TIMEc4un0lhPLOsVQxOLM2JxG
Bz3xat0oJRyB8wqvIpAiQGYsWFewLhIaB7Fulc4SsLbc//8I4GcX0bb+/rY4/phf
5am4s0WgaXuTAkxQvhOat/scfNxwAjo5D5qkXvDozJmatYDgRN/bj8Q/PI+i6H1E
mahB5IzRwwFkLpFYn5XnzgH8BzHN0mi6iX5b4dbCGBtqa5nRJj2h0R9uxDoosTaV
8qJPzIwduwSQ0C8r5VueUdIRLhDaCoIOo/GpKAzeP/XUPNs1GMwku7WMtp3ihkPK
v7hAIDJkxEX9KNG60ZPX/NpTteuSYLfmQaDWAxAZbW2hG962kbKnUdhwBv7rZD3p
OHsBa6eUZ++f5LO7B/PWRPdt0o00menBizMV2YH8lQL2pPZf4UfoaalgsBaYidxu
Bq/DO1TXK4HnST0rpcSj
=P0EG
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ