Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200803081818.48668.rbu@gentoo.org>
Date: Sat, 8 Mar 2008 18:18:48 +0100
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Cc: Florian Weimer <fw@...eb.enyo.de>,
 "Steven M. Christey" <coley@...us.mitre.org>,
 tss@....fi
Subject: Re: CVE? CCE? dovecot setting is often used incorrectly

On Saturday 08 March 2008, Florian Weimer wrote:
> * Jonathan Smith:
> > I've been trying to figure out what to do with this one. I'm not
> > inclined to believe it deserves a CVE given that it is
> > configuration (either dovecot config or filesystem permissions
> > configuration). I read once on mitre.org about "Common
> > Configuration Enumeration" aka "CCE" issues, but I've never seen
> > them actually used. Maybe this is a good candidate?
>
> Debian will release a security update with a patch, so we need a CVE
> anyway.  We might use one from our pool (after all, it's an interplay
> between our default MTA and Dovecot, and may not be very widespread),
> or we might reference a generic one.  I don't know which one is
> better.

For the generic issue you can use CVE-2008-1199.

Robert

Download attachment "signature.asc " of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.