Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201403041735.s24HZ6EH004806@linus.mitre.org>
Date: Tue, 4 Mar 2014 12:35:06 -0500 (EST)
From: cve-assign@...re.org
To: meissner@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE-2013-6800 is a dup of CVE-2013-1418

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6800
> is the same issue as 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418
> 
> (basically the same code fix for the same issue,

The scope of CVE-2013-1418 is this part of
c2ccf4197f697c4ff143b8a786acdd875e70a89d:

  Multi-realm KDC null deref [CVE-2013-1418] ... If a KDC serves
  multiple realms, certain requests can cause setup_server_realm() to
  dereference a null pointer, crashing the KDC.

  CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C


The scope of CVE-2013-6800 is this part of
c2ccf4197f697c4ff143b8a786acdd875e70a89d:

  A related but more minor vulnerability requires authentication to
  exploit, and is only present if a third-party KDC database module can
  dereference a null pointer under certain conditions.


The practical relevance of the second CVE is that, based on the
available information, a KDC apparently can be vulnerable to
CVE-2013-6800 even if the CVE-2013-1418 exploitation conditions are
not met. The vendor's disclosure binds the CVE-2013-1418 ID only to a
subset of the c2ccf4197f697c4ff143b8a786acdd875e70a89d comment. This
was accompanied by a similar binding within third-party references
such as 1026942 in the Red Hat Bugzilla. It is conceivable that
someone would want to track CVE-2013-6800 even if they determined that
CVE-2013-1418 was not relevant to their installation.

In general, even if a single patch could address two distinct types of
attacks, that does not necessarily mean that two CVEs are duplicates.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTFgz+AAoJEKllVAevmvmsg2AIAK3YEISuzaCFszqZIUMc7xTu
c19WulvIAzWTzCplCiYsq/y9y146PKCNSKeYZM9pLx/Nk5kz0m9627YmqCOxbzMx
7xQw0fn5F07/wOn2HFGdh6MxC1J7qGK+2EyBeL6yYdTEY4aNdLNGTZZP5YzQAP7O
yHL7Bh2ko3WWZKZ2f4qTGzRvbN7G5ZDQzTsTYDJUhqQUuvMCnP8NpnTb7qC/RGNH
k+u7lkohA/1gst476tb/uVSAYfwH/8zPkhygC6WlSRwrs3DoP+T6Ycle+6+1hH4z
7dlr1GXmAx989KG6TsjY+gmM9DHAnAOTM9wMA1ext8OWX7a40qVFlhZbQMr+M8Q=
=oIex
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.