Date: Sat, 18 May 2013 23:03:45 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: "Jason A. Donenfeld" <Jason@...c4.com>, Gilles Chehade <gilles@...lp.org>, misc@...nsmtpd.org Subject: Re: Re: CVE Request: DoS in OpenSMTPD TLS Support -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/18/2013 09:00 PM, Jason A. Donenfeld wrote: > On Sat, May 18, 2013 at 6:16 PM, Gilles Chehade <gilles@...lp.org> > wrote: >> Not too nice to send a CVE request without ANY coordination with >> us ... > > Sorry about that. I was in the midst of bumping packages in gentoo > to the snapshot where you had fixed the issue, when I figured it > might be wise to also get the issue tracked with a CVE asap. Sorry > for jumping the gun. For future reference you can get CVEs privately, although if you're not the official upstream this means there is a greater chance of duplicates (and thus of me saying "no, make a public request). So if you want to do this a possible compromise is to email me and the upstream and if upstream replies that it's ok then I'd probably go ahead. >> Just for the record, you contacted us today reporting a bug which >> could be memory corruption and you didn't know if it could be >> exploited. > > The quote was "I haven't looked into why this happens or if memory > corruption / code execution is a possibility, but at the very > least, it's a nasty DoS." > >> The snapshot mail, commit log and diffs makes the issue obvious > > Which is why I figured it was already a public issue, and > therefore not an issue to track it with a CVE. But apologies, > nonetheless, for jumping the gun. I'll coordinate with you more > closely in the future. Agreed, generally with public source code commits fixing an issue we consider it public and in general I would assign a CVE publicly, otherwise it gets to complicated to track/ensure embargoes/etc. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRmF0xAAoJEBYNRVNeJnmTvA4QAKJycT59hLMA+eod7hSmBiJi dIsSCe/g+m+TKZS0Vyx18+jh5+WDOBNvQXo+I9KD0tYs/s7zLfJymJcENRjqHJyG AutefIb+XqM+pVMh2FABe17unG94zWAlKSndjbPiK7X0yaSBnzUG3vAMA1ctCsfx N/HhlpG3VcJD9W+Ogt5gn333dTqcAJM9DE+dep86Ytk1DFe0IMBK0+sWRBtOmX/T xqVPsTPqjmO+GSTfJdLOEivLaUg0lvVdVziNvQ/lK8BNQX1WKOn8XLMqHCibLfd7 GDQYprXZyoAa3KRpLp6gIedK5QI1tk3vk08mhuzitafDaUFf2Nyt4wG2aWCRToDe uUXf9mAf5vfBhEmcxGwlrTIDUWL5HNw2KyMzQK/C1+TpJrSvpHz2ffTn5+biTZeV dmi3pFgJOWPKJ5vQk8kKkCM4T0drf/PWMDe02ZFpfYB2iOes+Y8M5i7b7888nqVV Xa2cjiBqi0yTrVQr6OxNotqeesCi3WK0I6o9D5IalaiVMXtC1h3M9xElFjjulkMZ YOxykuRrQMK8LyYBLndt40gBrh3oaqDT0lWu8lkhLqLF+g12YtBz4uBENT++renh nKSW5ZQYIfnG58hN9+xkmB/fZ4kZAGeEd0G8NVaCj/DXw4jD6VZls+6AJC551/La 6Ml9HMWFdxKrUmj6fP9f =81ky -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.