Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Pine.GSO.4.64.1201041254070.14826@faron.mitre.org>
Date: Wed, 4 Jan 2012 13:11:51 -0500 (EST)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: Moritz Muehlenhoff <jmm@...ian.org>
cc: Kurt Seifried <kseifrie@...hat.com>, oss-security@...ts.openwall.com,
        Craig Barratt <cbarratt@...rs.sourceforge.net>, cve-assign@...re.org,
        security@...ntu.com
Subject: Re: CVE Request: Security issue in backuppc


All,

A new CVE is needed for this.  The new variant SHOULD receive a new CVE 
because there's a different researcher (specifically, Jamie) and 
effectively a different version (probably upstream; also, many distros may 
have already fixed the original CVE-2011-3361).

Blame the CVE content-decision documentation (and me, its author).  The 
current version can cause confusion, people can interpret it in different 
ways, plus there are gaps.  It needs some serious restructuring.  (This is 
why the document's not public.)

Kurt (and other CNAs): the documentation problem is that ADT4 says 
"MERGE", which seems to imply that you should stop, but really you should 
continue to ADT5, which is about splitting based on different researchers. 
ADT4 is there to explicitly cover places where somebody might reasonably 
feel like splitting, but CVE does not.  There are also a couple other 
decision points that aren't documented yet.  You should generally fall 
through *all* the decision points, not just the first point that suggests 
split/merge/consult.  That is, all of ADT1 through ADT5 should be examined 
when deciding how to group issues.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.