Date: Tue, 17 Mar 2015 15:24:19 -0400 (EDT) From: cve-assign@...re.org To: cap@....liu.se Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Incomplete data at nvd for CVE-2014-8159 (infiniband / verbs) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks very much for passing along a link to the affected drivers/infiniband/core/umem.c source code. This specific CVE wasn't previously announced on the oss-security list, but your message has important information about an open-source vulnerability. > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8159 For a CVE assigned by Red Hat, it's their prerogative to make their initial announcement in a document that doesn't mention the related source-code change and doesn't state whether the document's information is applicable to upstream. Linux kernel CVEs published by MITRE (or NVD) normally don't mention fixed Red Hat package versions, but we do prefer to include some type of related version information if the upstream applicability is not (yet) known. This doesn't mean precisely expressing a single distribution's data when better information is likely to be released soon. This CVE's version information will be updated based on your report and other sources. In this case, 2.6.32-504.12.2 was the only actionable version information determined directly from Red Hat's document. The specific source-code change from https://community.mellanox.com/message/4402#4402 isn't in 3.19.1 or 4.0-rc4. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVCH6TAAoJEKllVAevmvmsRDQH/RMS7CVtwVniYTVBOad27vab hkfmtdUn8I4NwGpLTnyNzmAW+S+XGHDloAl4SeQ2BkTlOkXlWdl6ZGRCXVCDIeb9 pY98S4wmYRGsbPA24HztcDRuljrnE/HBMSQri9c6TiecKEUURl/UqnwxKo7+7DZn CF3itTZgYI6okLvvgHc8sK2zDCQe9aWfcOdEHY3PCoph599BjURa67hr2/7DG6Fy kk7Py5xchPSa+mPtzOIl+hISx9AMhoEjPoDTwFPXqRZS5RTihkf9K6GI1OQSFpzM vVVRRHqBWs3MiW9tDiSycEaf4X/CXCMHZxmKZnp4AsB4QqL7feR+rcOf8B8xxew= =00es -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.