Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Jan 2012 13:02:26 -0700
From: Vincent Danen <>
Cc:,, Mark Thomas <>
Subject: Re: Re: CVE-2011-4858 confusion

* [2012-01-04 09:50:48 -0500] wrote:

>MITRE is still working on this. Our current perspective is that
>CVE-2011-4084 is one vulnerability that was confirmed by the upstream
>vendor, and CVE-2011-4858 is a different vulnerability that was not
>confirmed by the upstream vendor. There are apparently related test
>cases and test results that are not yet public.

We received an email from upstream Tomcat asking us to make that change.
CVE-2011-4858 is the CVE for the hash collision issue.

I'm cc'ing Mark who made the original request to us.  Mark, could you
please clarify?


Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.