Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 2 Feb 2016 12:27:46 -0800
From: Seth Arnold <seth.arnold@...onical.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: Socat security advisory 7 - Created new
 2048bit DH modulus

On Tue, Feb 02, 2016 at 02:36:06PM -0500, cve-assign@...re.org wrote:
> useful. Our question is about whether anyone needs two CVE IDs.
> 
> A CVE ID must be for a specific vulnerability (although we realize
> that the CVE ID may often be used to track the update). Here, there
> can be a CVE ID for the "was not prime" finding in the sense that p is
> supposed to be prime, and a non-prime value is an implementation error
> regardless of any other details of the situation. With the currently
> published information, we do not see a way to generate a second CVE ID
> for something related to "no indication of how these parameters were
> chosen" or "cannot be ruled out."

Ubuntu won't issue an Ubuntu Security Notice for the socat issue (because
socat is in our "universe" archive); however, we wouldn't find it useful
to have a second CVE assigned for "no indication of how these parameters
were chosen" or "cannot be ruled out".

This is one area where distro needs don't 100% align with MITRE's: one CVE
per line of code is sufficient for us but not for MITRE. When in doubt I'd
suggest to limit the number of CVEs issued just on the principle of less
work for everyone. When it's clear, of course, do what you must; we're
lucky we get to use CVEs to identify issues, and some slight duplication
(from our perspective) is a price well worth paying to use CVE's many
positive benefits.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.