Date: Sat, 8 Mar 2008 18:18:48 +0100 From: Robert Buchholz <rbu@...too.org> To: oss-security@...ts.openwall.com Cc: Florian Weimer <fw@...eb.enyo.de>, "Steven M. Christey" <coley@...us.mitre.org>, tss@....fi Subject: Re: CVE? CCE? dovecot setting is often used incorrectly On Saturday 08 March 2008, Florian Weimer wrote: > * Jonathan Smith: > > I've been trying to figure out what to do with this one. I'm not > > inclined to believe it deserves a CVE given that it is > > configuration (either dovecot config or filesystem permissions > > configuration). I read once on mitre.org about "Common > > Configuration Enumeration" aka "CCE" issues, but I've never seen > > them actually used. Maybe this is a good candidate? > > Debian will release a security update with a patch, so we need a CVE > anyway. We might use one from our pool (after all, it's an interplay > between our default MTA and Dovecot, and may not be very widespread), > or we might reference a generic one. I don't know which one is > better. For the generic issue you can use CVE-2008-1199. Robert Download attachment "signature.asc " of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.