Date: Wed, 30 Jul 2014 20:08:45 -0400 (EDT) From: cve-assign@...re.org To: stu@...cehopper.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, hanno@...eck.de Subject: Re: CVE request: libressl before 2.0.2 under linux PRNG failure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> I see a number of web pages relating to this issue are mentioning that >> it has already been assigned CVE-2014-2970, can anyone throw light on this? > At MITRE, we (obviously) know where CVE-2014-2970 came from, and we'll > send information here about the resolution as soon as it happens. We've since learned that nobody ever assigned CVE-2014-2970 to that LibreSSL issue, and apparently every appearance of CVE-2014-2970 in "a number of web pages" was ultimately the result of a miscommunication outside of MITRE. A complication is that CVE-2014-2970 had been assigned to a different issue, and that issue isn't yet public. What you should do is: - if you're part of the embargo audience that has been using CVE-2014-2970 for a private vulnerability, use CVE-2014-5139 instead - if you're not part of that embargo audience, all we can suggest is that it's very likely that you'll see a public disclosure of CVE-2014-5139 in the future Also: - MITRE is not part of the embargo audience and does not know what the CVE-2014-5139 vulnerability is - MITRE has separately communicated the CVE ID change to the organization that originally assigned CVE-2014-2970 Soon, the MITRE CVE web site will have this for CVE-2014-2970: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality for certain process-bifurcation use cases that might arise in future LibreSSL-based applications. There is no CVE ID associated with this LibreSSL code change. As of 20140730, CVE-2014-5139 is an undisclosed vulnerability in a different product, with ongoing vulnerability coordination that had previously used the CVE-2014-2970 ID. The MITRE CVE web site entry for CVE-2014-5139 will have the details of the issue after the public disclosure happens. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT2YhdAAoJEKllVAevmvms8ucH/RR5XB+vo3gsdgZttTYTxC9G jYODUmi6BBg3FwQSPiqny8DWbvSvZhZaNoDKrf8EdfJthc9dSlJ1hoFogblqj79U meYqvTWFdaVkGPiBFbX293g7J/VDQVpcXxYI24Kc+MR8OAfu4jV9imeZZ62iouuk 4BbhvtUD2yFqag5S3YUqhFfo3FIOQVYyh+M52927HzQSTDheUWCapHZfUP7lOYAL vQeyDSayP5QNcLpjeKhshS5/L1aTDOMY4KreYDSvs/0+wgvE+FexqyjwzeoSpyGr HHkrIyuIIHPT3aTbSvaxAgso51fPRKCEZsR7eh2XFnePEi+Cq6KysTQhASC1iWM= =3pTv -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.