Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Dec 2013 14:01:04 -0700
From: Vincent Danen <vdanen@...hat.com>
To: cve-assign@...re.org
Cc: OSS Security List <oss-security@...ts.openwall.com>, carnil@...ian.org
Subject: Re: CVE request: denial of service in Nagios (process_cgivars())


On Dec 23, 2013, at 1:19 PM, cve-assign@...re.org wrote:

> Signed PGP part
> > http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
> 
> Relative to CVE-2013-7108, Nagios changed two files that Icinga did
> not change. If the additional changes are vulnerability fixes, we will
> assign two more CVE IDs. (The vulnerability types would not be the
> same.) We are currently coordinating with Icinga upstream on this. In
> any case, CVE-2013-7108 will represent a set of off-by-one error
> issues that are common to Icinga and Nagios, and were all announced at
> the same time. CVE-2013-7108 is not specific to only Icinga.

I was unaware of any Icinga issues, but I guess that makes sense (we don't ship Icinga so have no reason to look at it).

Can you please advise if any additional CVE(s) will be assigned to this commit in Nagios then?  In the meantime I'll associate CVE-2013-7108 with our bug.

Thanks!

-- 
Vincent Danen / Red Hat Security Response Team


Download attachment "signature.asc" of type "application/pgp-signature" (671 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.