Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.GSO.4.51.0810311613570.8062@faron.mitre.org>
Date: Fri, 31 Oct 2008 16:18:36 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2008-4619 / milw0rm6775


On Wed, 29 Oct 2008, Tomas Hoger wrote:

> Looks like this is a dupe of CVE-2007-0165 after all...
>
>   http://www.securityfocus.com/bid/21964/
>   http://secunia.com/advisories/23700/
>   http://secunia.com/advisories/32403/

Nothing against these sources but in general CVE wants a solid "logic
chain" between 2 descriptions before declaring a dupe.  In this case
CVE-2007-0165 is anchored on a very vague description from Sun about
something in libnsl.  CVE-2008-4619 is quite specific.  Just because it's
the same rpcbind service is insufficient as we all know that the same
package can contain multiple security bugs.

The most solid connection here, though, is SUNALERT:102713 (which
CVE-2007-0165 is anchored on) has now been renamed to SUNALERT:200412,
which directly references CVE-2008-4619.

I'll send a quick-check email to Sun but these do appear to be dupes.  So
then the question is which CVE to reject, and I'm not sure at this moment.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.