Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201401180039.s0I0dR4L001227@linus.mitre.org>
Date: Fri, 17 Jan 2014 19:39:27 -0500 (EST)
From: cve-assign@...re.org
To: vdanen@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE-2014-0021: chrony traffic amplification in cmdmon protocol

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> With the news about the traffic amplification issue in ntpd, one of
> our developers looked at chronyd

At cve-assign@...re.org, we've received a number of reports that have
protocol descriptions, and ask for CVE assignments for amplification
attacks. We've declined making assignments for those. One of the
criteria we're currently using is:

  - cases in which a vendor of a UDP protocol implementation announces
    that they made a security-relevant mistake by having configuration
    or code elements that allow amplification attacks, and publishes
    a fix for this mistake

One of the other CVE Numbering Authorities was also receiving similar
reports. We coordinated with them and learned that they were looking
at CVE eligibility in much the same way.

The "in which a vendor of a UDP protocol implementation" above was
what we had for the CVE-2013-5211 ntpd issue (with some definition of
"announces"). We don't know the ultimate outcome of how amplification
attacks will interact with the scope of CVE, but we did want to point
out that this CVE-2014-0021 assignment seemed inconsistent with what
we've been doing.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS2cuHAAoJEKllVAevmvmsurYIALjzoZDswrD9TcHR/ObNIU9G
6qIsWM49HJ0VRnY88DJj1aO3vB2bnGiPNVK7Xe3RNkIBW6OPZ4cQyypv2ZijjhSC
QLMlGgzgGAvJq4MQjOeq2RQinS3MUuqj4cHcoQ9Fy64avonXlfuJEsDu5WC3yEah
M6el74ZmwPZupfs0hTvq0aGjvSqRd2alSFsSRUwUxHMS8PZLj4bP/l/NfHMPLC9V
vdQFm90JhccAkn0uzPc87lOeVlqQCpX1KH8R587S2MneoommzKEBrVQI1xTlNjrR
gLyz58pHC9kxPwkbztBr5hS5isSyKpsmrcvKhLRQlLi/51Kd9zTAucj9RdF6gLU=
=S4od
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.