Date: Thu, 26 Dec 2013 21:32:27 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Christian Heimes <christian@...imes.de>, psrt@...hon.org, Assign a CVE Identifier <cve-assign@...re.org> Subject: Re: CVE issues with recent python flaws -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/23/2013 04:41 PM, Vincent Danen wrote: > So I've been detangling some python issues that we were alerted to > around this time last year, along with some other vendors. > > The work, and CVEs that were assigned (not sure by whom), are all > public and since there are some issues that probably warrant a few > more CVEs, I'm bringing this up on the list here (and also because > no real announcements ever came out of the python camp regarding > these). > > It's all noted in our bug > (https://bugzilla.redhat.com/show_bug.cgi?id=1046174): > > * httplib  (fixed in 2.7.4 , 2.6.9 , and 3.3.3 ) * > ftplib  (fixed in 2.7.6 , 2.6.9 , 3.3.3 ) * imaplib  > (not yet fixed in 2.7.x, fixed in 2.6.9 , 3.3.3 ) * nntplib >  (fixed in 2.7.6 , 2.6.9 , 3.3.3 ) * poplib  > (not yet fixed in 2.7.x, fixed in 2.6.9 , 3.3.3 ) * smtplib >  (not yet fixed in 2.7.x, fixed in 2.6.9 , not yet fixed in > 3.3.x) > >  http://bugs.python.org/issue16037  > http://hg.python.org/cpython/rev/8a22a2804a66/  > http://hg.python.org/cpython/rev/582e5072ff89  > http://hg.python.org/cpython/rev/e445d02e5306/  > http://bugs.python.org/issue16038  > http://hg.python.org/cpython/rev/44ac81e6d584/  > http://hg.python.org/cpython/rev/8b19e7d0be45/  > http://hg.python.org/cpython/rev/38db4d0726bd/  > http://bugs.python.org/issue16039  > http://hg.python.org/cpython/rev/4190568ceda0/  > http://hg.python.org/cpython/rev/4b0364fc5711/  > http://bugs.python.org/issue16040  > http://hg.python.org/cpython/rev/36680a7c0e22/  > http://hg.python.org/cpython/rev/731abf7834c4/  > http://hg.python.org/cpython/rev/fc88bd80d925/  > http://bugs.python.org/issue16041  > http://hg.python.org/cpython/rev/7214e3324a45/  > http://hg.python.org/cpython/rev/68029048c9c6/  > http://bugs.python.org/issue16042  > http://hg.python.org/cpython/rev/8a6def3add5b/ > > > One CVE (CVE-2013-1752) as assigned to all of these, which would > have been perfectly reasonable if they had _all_ been fixed > simultaneously (or at least in the same version). > > My post here is two-fold: a) to let other vendors know about these > issues so they can update/patch their own packages, and b) to see > if MITRE wants to do anything with regards to the CVE assignments > for these issues as it seems like we might need 3-4 CVEs here as > only nntplib and ftplib carry the same fixed-in-versions across the > board. > I'm leaving this one up to Mitre, my personal take: these are very different code modules (different protocols) so CVE split, but I defer to Mitre. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSvQLbAAoJEBYNRVNeJnmTlAMP/ilFiZ370HGfXUU5ON8EgToY Dq6d2jPBlI77UF/igg1zYbjktDMWmA1M3v98gQ0iA0xV2q+kdwBKlb9sLVOZqe2V /PCao9VX3GLonzcj2hUgqR/VTFvIoqibAiDaw2wWQohFzcweuKFCWJmkdI5Snzej 8j/2nJdAIEAO10LHGvoMgYh3MHNTC02dxe0SvrlYNfgE8yrQhm5CEtw+s2zAqEGT 8c20SbUgNrcwqDrVTjTDJ7hFHg27GC9plY4B3cSTg9gn/dwVMMH0N4xEMyAgoHVq SL2lDC7kpcIshmvOQtZyHPY7ws6NWV4frHt9e2U61HeLhI8AZEJp/U6lfs0eeOcJ UlRei61ACCd9GNTjGYzign46r4nbpqJJ0hbd1PZlhk1jKa6IVrsSyehWvd2JeYz7 2CDEWB4dleFIpfV3o1k1aeGwkEX9EEWGlv/k9nD6H68U1I3xMwEH7G/BXveITKYF tltUU1JyYVt2BdurzduuaM+aR1b2AP7JtGKr5jLpBnIpBIx1mreGwPjDE2VFF2av 3VjnyQrmnOX7TLV23B2RW64+g4drml57VRhearyJpSacQcyNenpIn2F3KY730CCC Q0Cx7IaT8SqN/CJ06JWsMiQkihG50Uqg/TADc11cJ12JMhRTjObGfaVDCSmhARJx pER4ZFf1q/ub5o3dv4QO =gatT -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.