Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 30 Jul 2014 20:08:45 -0400 (EDT)
Subject: Re: CVE request: libressl before 2.0.2 under linux PRNG failure

Hash: SHA1

>> I see a number of web pages relating to this issue are mentioning that
>> it has already been assigned CVE-2014-2970, can anyone throw light on this?

> At MITRE, we (obviously) know where CVE-2014-2970 came from, and we'll
> send information here about the resolution as soon as it happens.

We've since learned that nobody ever assigned CVE-2014-2970 to that
LibreSSL issue, and apparently every appearance of CVE-2014-2970 in "a
number of web pages" was ultimately the result of a miscommunication
outside of MITRE.

A complication is that CVE-2014-2970 had been assigned to a different
issue, and that issue isn't yet public. What you should do is:

  - if you're part of the embargo audience that has been using
    CVE-2014-2970 for a private vulnerability, use CVE-2014-5139

  - if you're not part of that embargo audience, all we can suggest is
    that it's very likely that you'll see a public disclosure of
    CVE-2014-5139 in the future


  - MITRE is not part of the embargo audience and does not know what
    the CVE-2014-5139 vulnerability is

  - MITRE has separately communicated the CVE ID change to the
    organization that originally assigned CVE-2014-2970

Soon, the MITRE CVE web site will have this for CVE-2014-2970:

  ** REJECT **

  DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2014-5139.  Reason:
  This candidate is a duplicate of CVE-2014-5139, and has also been used
  to refer to an unrelated topic that is currently outside the scope of
  CVE.  This unrelated topic is a LibreSSL code change adding
  functionality for certain process-bifurcation use cases that might
  arise in future LibreSSL-based applications.  There is no CVE ID
  associated with this LibreSSL code change.  As of 20140730,
  CVE-2014-5139 is an undisclosed vulnerability in a different product,
  with ongoing vulnerability coordination that had previously used the
  CVE-2014-2970 ID.

The MITRE CVE web site entry for CVE-2014-5139 will have the details
of the issue after the public disclosure happens.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.