Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Dec 2015 14:15:34 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: "Evans, Jonathan L." <jevans@...re.org>
Cc: oss-security <oss-security@...ts.openwall.com>, CVE ID Requests <cve-assign@...re.org>
Subject: Re: CVE for git issue - please use CVE-2015-7545

I'm pretty sure people expect git recursive fetch to result in data being
fetched (potentially quite a lot) but that it does NOT result in arbitrary
command/code execution. As such (the potential for remote code execution)
we feel this is a security issue, hence the security updates from Red Hat.



On Wed, Dec 9, 2015 at 1:26 PM, Evans, Jonathan L. <jevans@...re.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We are not certain if the assignment of CVE-2015-7545 is correct.  The
> vendor
> may not officially support the "blindly enable recursive fetch" scenario,
> i.e.
> the user is expected to accept the risk of executing a recursive fetch
> from an
> untrusted source, and the change should be considered a security hardening
> feature for the convenience of their users.
>
> MITRE has been actively working with the upstream vendor to determine the
> appropriate number of CVEs for the vulnerabilities.  There was no
> oss-security
> post from us because the context of MITRE's work was related to previous
> private
> communication from and to the upstream vendor.
>
> In the future, we plan to respond quickly to requests like the initial one,
> asking the requester for the appropriate information needed to assign a
> CVE ID.
>
> - --
> Jonathan Evans
> CVE assignment team, MITRE CVE Numbering Authority M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through
> http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJWaI5KAAoJEL54rhJi8gl5WDsQAL1khrVZkPxjgxauyLhaaPKA
> +zQogmqLzJmAlx6JNj5ehKNvSkPFX9J4TzJ7IyYdEiVaeoUvbWJHu+CCNfmsiEXv
> jmMDCfMOTeHUhHBi0DaeAklspzN11a78m+y4LV1ixB2/75PRHapNR36Ff2OLB6L0
> PDCW3Kwl0QBRWg+ezF4SeOfJNqCYUaat6oW16wgL33b1NTPveP7Iop0INHwb/ebd
> UEak3vZTeHowT0IP0/5wbUyqEmYXONvUuXfRvLuQQzVL2qfValAN6KMbFq2mjYEm
> SeGj9uNTBf16ATF/BboN3IWElBtGLfIwY3Rleu8NtMmKruR8rEP9tqDZKdnZI50K
> +c6S3sdqlfzc8F2m99dGE5FuXe/qY0WfALo8vDgNs58zR5uh23rIIGZwgU4zxl32
> V71ssQr/hbfxen8u3ZJ258bRVmhh8SFyykKznYdC0iq1Zf58oIwmUgja5AbNNkqI
> 39jeBeAVrdmmMIMrrw+hYDRRFcRXHRkGM95gMCSjBSHY68/duKfN+G3CIRntxtek
> /Cu3IIy50FybOfOERdy+NBsQV8yK2LR+PXWXMmik0JgYMRXkwH6zSf5opbwGDWQb
> 0nI+HIKSUXdmjGHyVE8YqgeFcb52W9+EbdybuRkdbZq09rUWUr94FPjR73VNA8Yj
> 755moYSPJKuOLPJK33pi
> =IV1v
> -----END PGP SIGNATURE-----
>



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.