Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140131172039.GA19351@openwall.com>
Date: Fri, 31 Jan 2014 21:20:39 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038)

On Fri, Jan 31, 2014 at 05:34:05PM +0100, rf@...eap.de wrote:
> >>>>> "SD" == Solar Designer <solar@...nwall.com> writes:
>     SD> This is CVE-2014-0038 (assigned shortly after Kees sent the
>     SD> message below).

> Are you sure this is the correct CVE?

Pretty sure, yes.  I am not aware of a reason to think otherwise.

It was kindly assigned by Petr Matousek (of Red Hat, even though their
products are not affected) on Wed, 29 Jan 2014 10:01:59 +0100.

> It was assigned already beginning of Dec. last year.

The "assigned" date seen on CVE IDs often indicates when a pool of CVE
IDs was created and then assigned to a CNA (Red Hat in this case), not
when individual CVE IDs are assigned to actual issues.  It is perfectly
normal (albeit confusing) for the "assigned" date to be earlier than the
vulnerability discovery date.  This was discussed in here before:

http://www.openwall.com/lists/oss-security/2012/01/23/4

CNAs:

http://cve.mitre.org/cve/cna.html

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.