Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140731095907.GL27690@symphytum.spacehopper.org>
Date: Thu, 31 Jul 2014 10:59:07 +0100
From: Stuart Henderson <stu@...cehopper.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, hanno@...eck.de
Subject: Re: Re: CVE request: libressl before 2.0.2 under
 linux PRNG failure

On 2014/07/30 20:08, cve-assign@...re.org wrote:
> >> I see a number of web pages relating to this issue are mentioning that
> >> it has already been assigned CVE-2014-2970, can anyone throw light on this?
> 
> > At MITRE, we (obviously) know where CVE-2014-2970 came from, and we'll
> > send information here about the resolution as soon as it happens.
> 
> We've since learned that nobody ever assigned CVE-2014-2970 to that
> LibreSSL issue, and apparently every appearance of CVE-2014-2970 in "a
> number of web pages" was ultimately the result of a miscommunication
> outside of MITRE.
> 
> A complication is that CVE-2014-2970 had been assigned to a different
> issue, and that issue isn't yet public. What you should do is:
> 
>   - if you're part of the embargo audience that has been using
>     CVE-2014-2970 for a private vulnerability, use CVE-2014-5139
>     instead
> 
>   - if you're not part of that embargo audience, all we can suggest is
>     that it's very likely that you'll see a public disclosure of
>     CVE-2014-5139 in the future

Interesting, thanks. So how does a reporter get hold of an embargoed CVE
number and mistakenly apply it to libressl? It seems strange to have
pulled this number out of thin air. And how long do these embargoes
last, this seems a relatively long time to be sitting on a bug which is
important enough to have been embargoed.

I await the announcement of CVE-2014-5139 with interest!

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.