Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Sat, 8 Mar 2008 18:18:48 +0100
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Cc: Florian Weimer <fw@...eb.enyo.de>,
 "Steven M. Christey" <coley@...us.mitre.org>,
 tss@....fi
Subject: Re: CVE? CCE? dovecot setting is often used incorrectly

On Saturday 08 March 2008, Florian Weimer wrote:
> * Jonathan Smith:
> > I've been trying to figure out what to do with this one. I'm not
> > inclined to believe it deserves a CVE given that it is
> > configuration (either dovecot config or filesystem permissions
> > configuration). I read once on mitre.org about "Common
> > Configuration Enumeration" aka "CCE" issues, but I've never seen
> > them actually used. Maybe this is a good candidate?
>
> Debian will release a security update with a patch, so we need a CVE
> anyway.  We might use one from our pool (after all, it's an interplay
> between our default MTA and Dovecot, and may not be very widespread),
> or we might reference a generic one.  I don't know which one is
> better.

For the generic issue you can use CVE-2008-1199.

Robert

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux