Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 19 Jun 2012 15:05:04 -0400 (EDT)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: oss-security@...ts.openwall.com
cc: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...-smtp.mitre.org>,
        Josh Bressers <josh@...ss.net>
Subject: Re: CVE Request -- Revelation: 1) Limits effective
 password length to 32 characters 2) Doesn't iterate the passphrase through
 SHA algorithm to derive the encryption key


On Mon, 18 Jun 2012, Kurt Seifried wrote:

> Assigned 2012 CVE's as the first clear mention of the issues is in the
> codepoet.no ticket. The Blog entry for 2010 mentions the issue
> indirectly so I'm going with the more concrete mention.

This is a reasonable approach to take.  The year portion of a CVE 
identifier can't always be associated with the actual year of disclosure, 
and in this case, it's arguable what counts as "sufficient disclosure" 
anyway.  A couple minutes of investigation is sufficient.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.