Date: Tue, 7 Jun 2016 09:49:00 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: Mitre CVE assign department <cve-assign@...re.org> Subject: Re: Please reject duplicate CVE for libxml2 Hi, On Tue, Jun 07, 2016 at 09:34:51AM +0200, Martin Prpic wrote: > Hi, it seems two CVEs were assigned for the same issue in libxml2: > > http://seclists.org/oss-sec/2016/q1/683 > http://seclists.org/oss-sec/2016/q2/214 > > Daniel Veillard reported to us that these issues are the same and fixed > by: > > https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9 > > The upstream bug is: > > https://bugzilla.gnome.org/show_bug.cgi?id=762100 > > Can CVE-2016-4483 please be rejected as a duplicate of CVE-2016-3627? What though is confusing is that the two commits are tagged accordingly in the upstream git repository: Tagged for CVE-2016-4483: https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd Tagged for CVE-2016-3627: https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9 For the updates in Debian thus we have used both and referenced both CVEs, think Ubuntu has done the same in USN 2994 (http://www.ubuntu.com/usn/usn-2994-1/) Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ