Date: Fri, 8 Jul 2016 15:43:31 -0400 From: Glenn Randers-Pehrson <glennrp@...il.com> To: oss-security@...ts.openwall.com Cc: CVE ID Requests <cve-assign@...re.org> Subject: Re: On anonymous CVE assignments *CVE*-*2016*-*3751*(H) On Fri, Jul 8, 2016 at 9:55 AM, Kurt Seifried <kseifried@...hat.com> wrote: > Also if projects don't like "Surprise" CVEs one way to deal with that is to > request the CVE's themselves when they know something is a security > vulnerability. Also making it easy to contact them helps, the harder you > make it for a security researcher to deal with you, the less likely they > are to. > It's hard to do that when a "surprise" CVE was never sent to the project, for example *CVE*-*2016*-*3751*(H) which just appeared in an Android security bulletin. It claims that libpng has a bug that allows privilidge escalation and was reported 3 Dec 2015. I'm guessing that it is a duplicate of CVE-2015-8126 or CVE-2015-8472, but it's hard to tell for sure without seeing it. All I've been able to find out is that it is a "reserved" CVE, with no clue as to who reserved it. Glenn Randers-Pehrson libpng custodian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ