Date: Sat, 4 Jul 2015 12:58:40 -0400 (EDT) From: cve-assign@...re.org To: kseifried@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: please REJECT CVE-2015-3199 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://projects.theforeman.org/issues/10469 > > "This was reported by Ori Rabin to foreman-security (thanks!) and a CVE > identifier was filed under CVE-2015-3199, but it turned out this does > not affect any released upstream version." > > so it was effectively in an unreleased version, thus no need for CVE. The scope of CVE isn't strictly limited to released upstream versions. As mentioned at the bottom of the http://openwall.com/lists/oss-security/2015/01/04/7 post, some products sometimes have CVEs for this type of unreleased software, whereas others do not. We feel that Foreman is probably in the latter category. http://theforeman.org/contribute.html and 10469 suggest that the incorrect code was found only on the develop branch: - Master - latest stable release code - Develop - new features and bug fixes Master is frozen between major releases. http://theforeman.org/introduction.html doesn't suggest that anyone ships a product using code from the Foreman develop branch, but we don't want to immediately rule out that possibility. This seems to be a good choice for moving to the REJECT state, and we will most likely do that next week unless there's an important reason to keep CVE-2015-3199. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVmBAvAAoJEKllVAevmvmsXS4IAMYPSg8K5gDoSq+LV5lTS+na HTpCQP4POO8NY8YcTQnKY4bnZOF13CXZqUzGxpUiw1uwJlH3yeJI6c3J/EFfAC/s jnZgLBQ4PgDu3wk3gtIwfQROFQPz07TsAAKZj36mT/v7zA/7UhgVjfqCK9iZxwGd ejN8Xcfz6ATKyNZvuxxPblqhb4FSdl2cyaQ87VRUVgDcdWnHrcWlimyEN9muNjX6 zeBIYohDVnkkktOu3OeKMkKOyH1ejHNJ3zxcKZMbUpo9fwmRrlssLEslqNbEzIWq Iv+Pruul3SIENuUVpZgYjq6fbB1sbRuGKBHzxApqVKLZOAXkFAXuPyYf4WqJYlc= =jqn1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.