Date: Thu, 2 Jan 2014 14:55:09 -0500 (EST) From: "Steven M. Christey" <coley@...re.org> To: oss-security@...ts.openwall.com Subject: Re: Duplicated CVE assignment for bip Moritz, These are two slightly different issues, although a casual reading of the descriptions does not make that sufficiently clear. The original CNA assignment of CVE-2013-4550 did not consider that there appear to be two different types of issues, which means a SPLIT of the CVE ID. The issues are disclosed in Bug 261 here: https://projects.duckcorp.org/issues/261 The first issue is that Bip will write to arbitrary sockets when run in daemon mode because stderr is closed: "when using SSL (client_side_ssl = true), bip will write an error to stderr when the SSL handshake fails. However, if it is running as a daemon, stderr will have been closed." We narrowed the scope of CVE-2013-4550 to this first issue. Note that while the bug was apparently filed and public in 2011, it was given a CVE-2013-xxxx ID, but we don't usually reject an ID simply because it is out of sync with the disclosure date. We also didn't see a need to REJECT this CVE because of the scope change either, since it's in reasonably wide use. The second issue covers connections that are never closed: "Also, when an SSL handshake error occurs, a socket is never closed, but remains in CLOSE_WAIT state forever. This happens because a socket that is set to have an error will never be closed." A fix for the first issue would not necessarily guarantee a fix of the second issue, and the bugs are of different types. Therefore the second issue is SPLIT from the first. We assigned CVE-2011-5268 accordingly, since at the time of assignment, we knew that 2011 was the disclosure date. When we published these CVEs, we probably should have notified oss-security, or at least modified CVE-2011-5268 and CVE-2013-4550's descriptions to reflect the close relationships. I apologize for that. - Steve On Thu, 2 Jan 2014, Moritz Muehlenhoff wrote: > Hi, > Seems there's a duplicated CVE ID for bip: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4550 and > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5268 refer > to the same bugreport. > > Since CVE-2013-4550 was used for much longer, CVE-2011-5268 should > be rejected? > > Cheers, > Moritz >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.