Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 09 Oct 2013 23:54:36 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: cve-assign@...re.org
CC: oss-security@...ts.openwall.com
Subject: Re: 2 CVE's to be rejected

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/09/2013 11:35 PM, cve-assign@...re.org wrote:
>> The following two CVEs were used internally, one for an issue
>> that turns out not to be an issue (looong story) and one for an
>> issue with the same root cause as another (so duplicate). We
>> could in theory recycle them but I feel it safer to not reuse
>> them in case they leak out and cause confusion.
> 
>> Please REJECT CVE-2013-1870 Please REJECT CVE-2013-4398
> 
> Our current process for rejecting as a duplicate requires that the 
> REJECT description specify the duplicated CVE ID. Would you be able
> to say which one (1870 or 4398) had the duplicate/same-root-cause 
> situation, and the correct CVE ID for the vulnerability with that
> root cause?
> 
> We would want this information even if the correct CVE ID still
> refers to an embargoed issue.

The duplicate issue is still embargoed, the other one is also an
embargoed issue. I have made notes in our system to notify
oss-security/Mitre when they unembargo (so we'll announce the details
then).

In future should we hold CVE reject notifications until we can provide
the information as to why? I figured sooner was better (but I can also
see holding off until details can be released being a sane choice).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSVkEcAAoJEBYNRVNeJnmTUM0P/3CB2RG+KK4ZJXyoX9YJnwRR
Bb5E4Tyu7fVS/IDZFM+ULLf/pThhZEbtlf4x/iNjq5Ss4qapJpQ5DfUOfAWe5wUl
QVgCFLNKFVPgSpQdi5/DSWeJPCaYzTVxA5G7FCSIF1m7tOTyHHx2TCwaf2gQZaWZ
t1U3vaaM/PMH1Qkcs5vvTiwpB6DZEmPWx1K3sw3tEwH/ufZ5FUX7FF5RkVFiWUds
L0O3SWKWfF08B4sTxA9d0znNKwwQRl5OiKGKCcWavnED/Vt9TWXhAa/n68fcA7ny
+uBy3hzVDUSjB4PzssODzTmkGyoIvH7DeL801URr40E6vfc4YLYxdrPxIPsAUWvk
fCtDRJ9e6QbBOay2JN+AEJEPAuLFCxQo35pjCCNAG7x5FhnoTk+BtUgizWVeHRi8
MaF+jK/6dQX7eO0BklQL3EQvmqxvdOFuDzgIlFYTSkqoandks7JSZJc809hqzsYm
3kLW/RrpqXfyWWwiTGNmOunjIoisXGyh+uxNWy30PpoVm59mxkuvQQEbEiYDvwNq
6TfKQhFu6r22OooDwnlNgrAkUO9374dFqV4UvcBaDvKFTAqhoNBemUl+CMXFgfZ1
yOifSOqnlvpNh1pa8M/s22qGnVNuvlwJu0dAT6p40qMwurvpKJw7n4NUI1isAhgd
4u6y6uj/wdoTh49O9WC9
=yOvB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.