Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201401180121.s0I1LDdN001981@linus.mitre.org>
Date: Fri, 17 Jan 2014 20:21:13 -0500 (EST)
From: cve-assign@...re.org
To: vdanen@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE-2014-0021: chrony traffic amplification in cmdmon protocol

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Is this not a same/similar case?

There are many UDP protocols in which the reply traffic is larger than
the request traffic. A vendor can handle this in several possible
ways, including (for example) a statement that the protocol
implementation details were intentional, and that adverse effects are
a network-operations problem, not a software problem. CVE is about
software mistakes. So, at least at the moment, we are looking for
vendors who characterize the issue as a software mistake, and fix it.

In the chronyd case, this seems likely, so we don't expect any
long-term issue with including CVE-2014-0021 in CVE.

There may well be other reasonable approaches. An example approach
might be making CVE assignments for any protocol implementation that's
similar to one that already has a CVE (e.g., similar to ntpd). We're
not currently using that approach.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS2dYfAAoJEKllVAevmvmsCpcH/AlwpzADNsdZtfJsvLBontoq
Btpl9yry86vVt9HKks3/C4C8l2agPkFKj466TxRFAnRtqgaG5zbxex4CRk09EEmB
yMOlzRTWSYSC4UHH3nsVvNJsikuMR0N3vcdlVqoIfnfTOWyD9DwPgo/OSABm+dMa
vcQmw6JHugTL4ZXju1fKnqbu44QePKc96LXlrcqE4z4AWbzyr3Fc6A2kRWb5g7qt
40ltpwG2vntUzXqSyIN2IvY1OA3wHy8OOh9Hh/a8LXqjqyasWvxSUHNvSF4H/Ezo
a/Rmsq5+x+41Ai3GdYlsH6TSf2B7HMRYMgPKr0FQ/jn6k340NdCzi6WlJpPdPmc=
=Qby5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.