Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 7 Jun 2016 09:49:00 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Mitre CVE assign department <cve-assign@...re.org>
Subject: Re: Please reject duplicate CVE for libxml2

Hi,

On Tue, Jun 07, 2016 at 09:34:51AM +0200, Martin Prpic wrote:
> Hi, it seems two CVEs were assigned for the same issue in libxml2:
> 
> http://seclists.org/oss-sec/2016/q1/683
> http://seclists.org/oss-sec/2016/q2/214
> 
> Daniel Veillard reported to us that these issues are the same and fixed
> by:
> 
> https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9
> 
> The upstream bug is:
> 
> https://bugzilla.gnome.org/show_bug.cgi?id=762100
> 
> Can CVE-2016-4483 please be rejected as a duplicate of CVE-2016-3627?

What though is confusing is that the two commits are tagged
accordingly in the upstream git repository:

Tagged for CVE-2016-4483:
https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd

Tagged for CVE-2016-3627:
https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9

For the updates in Debian thus we have used both and referenced both
CVEs, think Ubuntu has done the same in USN 2994
(http://www.ubuntu.com/usn/usn-2994-1/)

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ