Date: Fri, 31 Oct 2008 16:18:36 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com Subject: Re: CVE-2008-4619 / milw0rm6775 On Wed, 29 Oct 2008, Tomas Hoger wrote: > Looks like this is a dupe of CVE-2007-0165 after all... > > http://www.securityfocus.com/bid/21964/ > http://secunia.com/advisories/23700/ > http://secunia.com/advisories/32403/ Nothing against these sources but in general CVE wants a solid "logic chain" between 2 descriptions before declaring a dupe. In this case CVE-2007-0165 is anchored on a very vague description from Sun about something in libnsl. CVE-2008-4619 is quite specific. Just because it's the same rpcbind service is insufficient as we all know that the same package can contain multiple security bugs. The most solid connection here, though, is SUNALERT:102713 (which CVE-2007-0165 is anchored on) has now been renamed to SUNALERT:200412, which directly references CVE-2008-4619. I'll send a quick-check email to Sun but these do appear to be dupes. So then the question is which CVE to reject, and I'm not sure at this moment. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.