[<prev] [next>] [<thread-prev] [month] [year] [list]
Date: Tue, 7 Oct 2008 14:33:24 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Tomas Hoger <thoger@...hat.com>
cc: coley@...us.mitre.org, oss-security@...ts.openwall.com,
veillard@...hat.com, Robert Buchholz <rbu@...too.org>
Subject: Re: Re: libxml2 "ampproblem" DoS
On Mon, 6 Oct 2008, Tomas Hoger wrote:
> CVE-2008-4409 is public on NVD site, CVE-2008-4422 in Gentoo BZ and
> here... CVE-2008-4422 should probably be rejected.
Agreed.
- Steve
======================================================
Name: CVE-2008-4409
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4409
Reference: MLIST:[oss-security] 20081002 libxml2 "ampproblem" DoS
Reference: URL:http://openwall.com/lists/oss-security/2008/10/02/4
Reference: CONFIRM:http://bugzilla.gnome.org/show_bug.cgi?id=554660
libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities
definitions" in entities, which allows context-dependent attackers to
cause a denial of service (memory consumption and application crash),
as demonstrated by use of xmllint on a certain XML document, a
different vulnerability than CVE-2003-1564 and CVE-2008-3281.
======================================================
Name: CVE-2008-4422
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4422
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-4409. Reason:
This candidate is a duplicate of CVE-2008-4409. Notes: All CVE users
should reference CVE-2008-4409 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux