Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 15 Sep 2016 18:00:08 -0400 (EDT)
From: cve-assign@...re.org
To: noloader@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Does a documentation bug elevate to CVE status? - Crypto++

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> did not tell users that they must define -DNDEBUG when using alternate
> build systems, like Autotools or CMake

> machinery could engage that
> egresses the sensitive information to the file system (core files and
> the like). On some platforms, like Ubuntu with Apport, Apple with
> CrashReporter, and Windows with Windows Error Reporting, the sensitive
> information is egressed to a third party

Use CVE-2016-7420 for this Crypto++ (aka cryptopp) vulnerability.

In general, documentation bugs can have CVEs. Maybe the easiest
example to find is CVE-2010-4179.
http://www.openwall.com/lists/oss-security/2015/11/10/12 is another
example of how misleading documentation can have a CVE.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX2xl8AAoJEHb/MwWLVhi2cUUP/RAYclh+VWjbrJskPz/HaJUL
lL8Pveg4jRTcU+CYN5R5sBoPajPAEthbv+UyWg7H3d2vW905yh2sy5hUnKj6weuG
v8pFDXEqWXY4OKaaXRVp9FcDd5pFR+YWHAGddzilWuOTyIZ6KOQeiKo8GG/og5/d
2YanGHpD884MGB189SB+LZcUv/NjYl5X4ONIM4nR/t3KlpRA9kWYBi0o9KwSrStS
jb3kK3ZiKw60WmVuwfRbvklb8zDSvxhMRpiqrOju2HgiY5E0ajZOhQQwEoNdcnlO
HA0IYW5BJO83coM8a7c1z3RRrmncJucZL8uxcPistwKhZyWFnvAKnp2zpNnmGM2S
z3CcTK1h7U+434xCNcKXTWFnMr4+WWIS9N8NfYyAFbGY+5nZ/G2Dpro9ObQQIikG
zzrwdVgdWxrXKUeP5mfqM5F0GDhKNZIK1nKX++7S/y4HO4xBJAwyHKXRg42S4yX0
yfUbknygpqKrJGIG1EjOzUqmlgS2nsclq6nJRv5YuJgTqRh6ZQC7b/Zwr+Sil8tP
ZLu4kv1IVv52Z5jjk1pUfHe6AW2lfu82iUzKFZaW0m9MUaq9ULNL3+CSkUBM4oxv
ay2L+gKNE4SExGYj7brfYkm/1r5d7eo7WIrINrbdz6XojOKKbCAs4nTlvKQoVn9m
esrwC4mjLKJ8/DHt7D7X
=du18
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.