Date: Wed, 3 Mar 2010 13:01:18 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: Vincent Danen <vdanen@...hat.com> cc: "Steven M. Christey" <coley@...us.mitre.org>, oss-security@...ts.openwall.com Subject: Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names? On Tue, 2 Mar 2010, Vincent Danen wrote: > * [2010-03-02 13:05:28 -0500] nobody@...hat.com via RT wrote: > > Hi, Steve. I'm confused about these three CVEs, particularly since > CVE-2009-3297 was assigned to this issue (I suppose it would be more > correct to have 3 CVEs for the issue, but I'm not sure then why > CVE-2009-3297 was completely ignored unless you intend for it to be not > used/duplicated to one of these?). Sorry about not informing oss-security when I did this; I meant to. CVE-2009-3297 has been rejected since it was used heavily for multiple issues that should have been assigned separate entries. People weren't just using CVE-2009-3297 for Samba, they were using it for fuse and others. This rejection has since been uploaded to the CVE site: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3297 Along with the three new CVEs: CVE-2010-0787 (Samba) CVE-2010-0788 (ncpfs) CVE-2010-0789 (FUSE) I try very hard to avoid doing this kind of split (and REJECT) except when it seems like there will be a lot of confusion; I know how much work it is to clean these up in advisories and so on. I recognize that many people have used CVE-2009-3297 for the Samba problem, but it's been used in DEBIAN:DSA-1989 for FUSE and FEDORA-2010-1145 for ncpfs, for example. An administrator who thinks that "CVE-2009-3297 is fixed" might have solved the ncp issue but still be vulnerable to the Samba issue. I had originally asked oss-security for clarification on this, without an answer: http://www.openwall.com/lists/oss-security/2010/02/04/7 (recognizing that I'm the most guilty party for not answering...) but other situations forced me to clear this out. > I'm also confused on using a 2010-based name since our bugzilla entry is > dated 2009-11-04, and Samba upstream has their reported dated > 2009-10-28, so these should have received 2009-based names. I agree - this was an error on my part, so I apologize for the confusion. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.