|
Message-ID: <1087982932.1032701257537195439.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Date: Fri, 6 Nov 2009 14:53:15 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: mjc@...hat.com, coley <coley@...re.org> Subject: Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) ----- "Steven M. Christey" <coley@...us.mitre.org> wrote: > On Wed, 28 Oct 2009, Mark J Cox wrote: > > > > > I checked and oCERT don't have a name, so use CVE-2009-3721 for this. > > This advisory covers both buffer overflows and path traversal in the same > data field. While these may stem from "input validation" (as many issues > do), we would typically assign two separate CVE names, since the fix for a > buffer overflow would not necessarily fix the path traversal (or vice > versa). > > Unless there's some deeper reason for using a single CVE, I think we should > assign separate CVEs here. If you agree Mark, we can use CVE-2009-3721 for > the overflow, and you could assign a new CVE for the traversal. > Let's use CVE-2009-3887 for the traversal then. Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.