Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 5 Dec 2016 16:47:25 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: ondrej@...y.org, cve-assign@...re.org, team@...urity.debian.org,
	dariusz.dwornikowski@...put.poznan.pl,
	sam-k6mymjcnjpz3fmkieotlt7rbgvqt98qy@...iam.org
Subject: Re: Re: Remote crash in MaraDNS 2.0.13 and git master

Hi MITRE CVE assigning team,

On Mon, Nov 14, 2016 at 01:36:58PM -0500, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > remote crash bug in MaraDNS 2.0.13 js_readuint16
> 
> Use CVE-2016-9300.
> 
> 
> > remote crash bug in MaraDNS 2.0.13 js_substr
> 
> Use CVE-2016-9301.
> 
> 
> > remote crash bug in MaraDNS 2.0.13 process_query -> this in fact
> > looks like stack smashing, since it crashes on htons in an unrelated
> > place
> 
> Use CVE-2016-9302.

According to the analysis of Sam Trenholme in
https://bugs.debian.org/844121#32, and confirmed by Ondrej, afaics,
those above would not be vulnerabilities in MaraDNS. Can you please
reject those three CVEs?

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.