Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 10 Oct 2018 08:38:50 +0200
From: Magnus Klaaborg Stubman <magnus@...bman.eu>
To: carnil@...ian.org,
 abergmann@...e.com
Cc: oss-security@...ts.openwall.com
Subject: Re: net-snmp 5.7.3 unauthenticated remote Denial of
 Service (exploit available)

Hi guys,

Yesterday I submitted a change request asking MITRE to mark CVE-2018-18066 as a duplicate of CVE-2015-5621.
Thank you for bringing the issue to my attention!

Magnus

> On 9 Oct 2018, at 11.21, Salvatore Bonaccorso <carnil@...ian.org> wrote:
> 
> Hi,
> 
> On Tue, Oct 09, 2018 at 12:31:32AM +0200, Alexander Bergmann wrote:
>> Hi Magnus,
>> 
>> thanks for your report. I can reproduce VULN#2 (CVE-2018-18065) with our
>> net-snmp-5.7.3 version (sle12/sle15). Our net-snmp-5.4.2.1 version seams
>> to be unaffected.
>> 
>> Regarding your VULN#1 (CVE-2018-18066) I noticed that the patch was
>> already applied to our code base and CVE-2015-5621 was assigned. The
>> issue was already mentioned here at oss-security.
>> 
>> https://www.openwall.com/lists/oss-security/2015/07/31/1
>> 
>> I didn't check the details yet, but if the new CVE is a duplicate,
>> please contact NIST about it.
> 
> Is it actually the same issue? I'm asking because for instance, there
> was indeed earlier CVE-2015-5621 and CVE-2018-1000116, which both were
> adressed with this same commit, but are considered two separate
> issues. So if CVE-2018-18066 is different from CVE-2015-5621 or
> CVE-2018-1000116, the assignment would not be a duplicate.
> 
> Regards,
> Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.