Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201406301454.s5UEsBjg019256@linus.mitre.org>
Date: Mon, 30 Jun 2014 10:54:11 -0400 (EDT)
From: cve-assign@...re.org
To: mmcallis@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE requests: nagios check_dhcp plug-in: read parts of INI config files belonging to root

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a somewhat unusual situation for CVE because there are two
cases in which a researcher reported a subset of the problem, and then
a vendor fix was announced that apparently addressed the problem
without modifying the component mentioned by the researcher.

> http://seclists.org/fulldisclosure/2014/May/74
> 
> This was fixed in version 2.0.2:
> 
> <http://nagios-plugins.org/nagios-plugins-2-0-2-released/>

Use CVE-2014-4701 for the report in
http://seclists.org/fulldisclosure/2014/May/74 stating that check_dhcp
is affected. (http://nagios-plugins.org/nagios-plugins-2-0-2-released/
is also an applicable reference for this CVE.)

Use CVE-2014-4702 for the report in
http://nagios-plugins.org/nagios-plugins-2-0-2-released/ stating that
check_icmp is affected. This is new vector information announced at a
different time by a different party.

(From a practical perspective, someone might have been tracking Nagios
Plugins security on the basis of fulldisclosure posts, and decided to
"fix" http://seclists.org/fulldisclosure/2014/May/74 by simply
deleting the check_dhcp plugin. In this case, CVE-2014-4702 is useful
because that installation was still vulnerable after that
CVE-2014-4701 remediation action.)


> http://seclists.org/fulldisclosure/2014/Jun/141
> 
> This was fixed in version 2.0.3:
> 
> <http://nagios-plugins.org/nagios-plugins-2-0-3-released/>

Use CVE-2014-4703 for the report in
http://seclists.org/fulldisclosure/2014/Jun/141 stating that
check_dhcp is affected.
(http://nagios-plugins.org/nagios-plugins-2-0-3-released/ is also an
applicable reference for this CVE.)

Here, the vendor did not announce any additional vector information
(and only referred to "the SUID vulnerability discovered by David
Golunski") so we can't assign a fourth CVE ID for the
http://nagios-plugins.org/nagios-plugins-2-0-3-released/ post. It's
possible that this is actually a parallel situation, so if anyone
wants to announce an issue in 2.0.2 that's not specifically about
check_dhcp, an additional CVE ID could be assigned.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTsXlEAAoJEKllVAevmvmsIs8H/0nIgPWQJWEXPckNuYNPwAof
Cxedes/xZ4Btuw+90PfGPPIrPaN6JJkg9+kFBEMLMQWy/AwTLjHkU7CMmVB7kTtx
DPPkQX7wPvRxM1ZcWA4zonsa5h/eGqiXBlrkl/C8qzsuPxGhRC+SVLDu8tIarQuw
CPHS4haMnMSPMAnY3Iqaproh0Bm3f/5q+3wDpsVKJS/YZX/iS+EgPpJ/T+1BJwOu
NLEfIuMAHiV99nA0OzZpLy9rClfE7Mhurfg+u3s2TKVTtjoEWddyWXnP4iHdhtU1
YvOLW3uMrVj7qQHR8ZHtpPD3smpHS6wU7ZPsN6qQkkKwYV3NU1/Yid+Ygv3Bitc=
=N17g
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.