Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Mar 2010 13:01:18 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Vincent Danen <vdanen@...hat.com>
cc: "Steven M. Christey" <coley@...us.mitre.org>,
        oss-security@...ts.openwall.com
Subject: Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010
 CVE names?


On Tue, 2 Mar 2010, Vincent Danen wrote:

> * [2010-03-02 13:05:28 -0500] nobody@...hat.com via RT wrote:
>
> Hi, Steve.  I'm confused about these three CVEs, particularly since
> CVE-2009-3297 was assigned to this issue (I suppose it would be more
> correct to have 3 CVEs for the issue, but I'm not sure then why
> CVE-2009-3297 was completely ignored unless you intend for it to be not
> used/duplicated to one of these?).

Sorry about not informing oss-security when I did this; I meant to.

CVE-2009-3297 has been rejected since it was used heavily for multiple 
issues that should have been assigned separate entries.  People weren't 
just using CVE-2009-3297 for Samba, they were using it for fuse and 
others.

This rejection has since been uploaded to the CVE site:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3297

Along with the three new CVEs:

CVE-2010-0787 (Samba)
CVE-2010-0788 (ncpfs)
CVE-2010-0789 (FUSE)

I try very hard to avoid doing this kind of split (and REJECT) except when 
it seems like there will be a lot of confusion; I know how much work it is 
to clean these up in advisories and so on.  I recognize that many people 
have used CVE-2009-3297 for the Samba problem, but it's been used in 
DEBIAN:DSA-1989 for FUSE and FEDORA-2010-1145 for ncpfs, for example.  An 
administrator who thinks that "CVE-2009-3297 is fixed" might have solved 
the ncp issue but still be vulnerable to the Samba issue.

I had originally asked oss-security for clarification on this, without an 
answer:

http://www.openwall.com/lists/oss-security/2010/02/04/7

(recognizing that I'm the most guilty party for not answering...) but 
other situations forced me to clear this out.

> I'm also confused on using a 2010-based name since our bugzilla entry is
> dated 2009-11-04, and Samba upstream has their reported dated
> 2009-10-28, so these should have received 2009-based names.

I agree - this was an error on my part, so I apologize for the confusion.

- Steve

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.