Date: Mon, 12 Apr 2010 18:18:10 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: Josh Bressers <bressers@...hat.com> cc: oss-security@...ts.openwall.com, coley@...re.org Subject: Re: CVE request: irssi 0.8.15 On Mon, 12 Apr 2010, Josh Bressers wrote: >> "This release fixes two security issues: The first being that Irssi >> didn't check hostname on SSL connections and the other being a hard >> to >> exploit remote crash bug." > > > The crash bits mentioned in the changelog are very ambiguous. The git tree > isn't any more clear than that. There appear to be two crashes, both sound > like NULL pointer dereferences that cannot be triggered by an attacker. If > I'm wrong, please speak up. Josh, I think we should assign another CVE anyway. The upstream vendor has explicitly labeled this as a security issue, so even if it seems of limited severity, that's enough to trigger creation of a CVE. The use of the "remote crash" term also reinforces the need for a CVE. This might be juse a plain old crasher from the perspective of many downstream vendors, but it's still worthy of inclusion in CVE because there is a significant population that would treat it as a "security" problem even if it's low severity. Should I assign one or should you? - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.