Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201302071933.r17JXXJP011224@linus.mitre.org>
Date: Thu, 7 Feb 2013 14:33:33 -0500 (EST)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>Can you assign one more for matrixssl?

>http://www.matrixssl.org/news.html

The short answer is that you should map that MatrixSSL changelog
to CVE-2013-0169.

Here's how MITRE is currently looking at the set of issues:

CVE-2013-0169 is the identifier for the multi-vendor issue in the
TLS and DTLS protocols discussed in the
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf paper.

We anticipate that several more vendors will release changelogs,
with various levels of detail, mapping to that paper:

 -- If the changelog simply reports a new release to address that
    paper's issue, MITRE will consider that changelog to be a
    CVE-2013-0169 reference. A new CVE will not be created for that
    single vendor or a single product.

 -- If the vendor states that it uses a codebase corresponding to
    one of the other
    http://openwall.com/lists/oss-security/2013/02/05/24 CVEs (aka
    side issues), then the changelog will become a reference for
    that CVE.

 -- If the vendor makes any other statement about a vulnerability
    fix for a side issue, a new CVE will be created for the new side
    issue.

This approach should enable MITRE to provide reasonably consistent CVE
abstraction without detailed study of each vendor's code.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)

iQEcBAEBAgAGBQJRFADmAAoJEGvefgSNfHMdC1AH/A2Fr8fg2pZP49U513DBwQhp
7zdffXlwA/FF5dv2D7Pl3UJeGOgWtmott9kvrpIh1tKKnGFoNgqvQwAsaEL9/1rd
Smr1dJisFvy7qDjrZEM96EiOM/3+J90StXFE3cVn72KGGs03g/e3+sUI3D8dp7Z3
SxJTNLgiVCxDCld06f5CmMwinl2DUx/VkuNgbfHUg+NnNzhw3WmIj8NMT0Om+OxZ
0UDCbWZ3SgH3DrIH75l+W3wKma0KgyQD+M2voUuCqmlSENI1Hkc6LhSKjxVaHeo/
ALJ4bWrpYtAv5JpyWL5mEY6NXOVcc0nl3M4EDsI9CKqeR8gtb0rjyK/gLQ4lydE=
=LRzJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.