Date: Tue, 4 Mar 2014 12:35:06 -0500 (EST) From: cve-assign@...re.org To: meissner@...e.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE-2013-6800 is a dup of CVE-2013-1418 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6800 > is the same issue as > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418 > > (basically the same code fix for the same issue, The scope of CVE-2013-1418 is this part of c2ccf4197f697c4ff143b8a786acdd875e70a89d: Multi-realm KDC null deref [CVE-2013-1418] ... If a KDC serves multiple realms, certain requests can cause setup_server_realm() to dereference a null pointer, crashing the KDC. CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C The scope of CVE-2013-6800 is this part of c2ccf4197f697c4ff143b8a786acdd875e70a89d: A related but more minor vulnerability requires authentication to exploit, and is only present if a third-party KDC database module can dereference a null pointer under certain conditions. The practical relevance of the second CVE is that, based on the available information, a KDC apparently can be vulnerable to CVE-2013-6800 even if the CVE-2013-1418 exploitation conditions are not met. The vendor's disclosure binds the CVE-2013-1418 ID only to a subset of the c2ccf4197f697c4ff143b8a786acdd875e70a89d comment. This was accompanied by a similar binding within third-party references such as 1026942 in the Red Hat Bugzilla. It is conceivable that someone would want to track CVE-2013-6800 even if they determined that CVE-2013-1418 was not relevant to their installation. In general, even if a single patch could address two distinct types of attacks, that does not necessarily mean that two CVEs are duplicates. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTFgz+AAoJEKllVAevmvmsg2AIAK3YEISuzaCFszqZIUMc7xTu c19WulvIAzWTzCplCiYsq/y9y146PKCNSKeYZM9pLx/Nk5kz0m9627YmqCOxbzMx 7xQw0fn5F07/wOn2HFGdh6MxC1J7qGK+2EyBeL6yYdTEY4aNdLNGTZZP5YzQAP7O yHL7Bh2ko3WWZKZ2f4qTGzRvbN7G5ZDQzTsTYDJUhqQUuvMCnP8NpnTb7qC/RGNH k+u7lkohA/1gst476tb/uVSAYfwH/8zPkhygC6WlSRwrs3DoP+T6Ycle+6+1hH4z 7dlr1GXmAx989KG6TsjY+gmM9DHAnAOTM9wMA1ext8OWX7a40qVFlhZbQMr+M8Q= =oIex -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.