Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20140904145155.8E11833200D@smtpvbsrv1.mitre.org>
Date: Thu,  4 Sep 2014 10:51:55 -0400 (EDT)
From: cve-assign@...re.org
To: thoger@...hat.com, vdanen@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: V8 Memory Corruption and Stack Overflow - Node.js

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
is CVE-2014-5256. This CVE ID has been in public use for about two
weeks (examples are the http://xforce.iss.net/xforce/xfdb/95057 and
http://www-01.ibm.com/support/docview.wss?uid=swg21682094 references)
but unfortunately the CVE ID isn't mentioned in any obvious place on
the nodejs.org web site, possibly because we only thought it was
likely that upstream would do that, and we didn't directly ask.

Also, the specific wording "A memory corruption vulnerability, which
results in a denial-of-service, was identified in the versions of V8"
was discussed with upstream. The information that we have is that the
issue actually should not be considered a vulnerability in V8, and
instead should be considered a vulnerability in Node.js. It is not a
case where a CVE assignment by Google would have been expected.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUCHvMAAoJEKllVAevmvmsKWwIAMicXsaWhOBpfBNzyU/g8GBl
zHUahsVdrvIit5+IfLASl+BjWbaGP2MhhF9c10Lvh6bDtPhogbVTntYWbbWAXsCT
9niu+SrPRlXFzjbfS0wZJrVq12ySfbLoHAABDW+OSSpzkgXR9SaZ8WVVcEW85SHI
2ORtPAjxwDIG5KXCUtHRT5kztFZ7SeTOOzZ6of8XYGGC1HsWB0aU6/bIgPKp2uvq
2UPGmDtKTMDB8U17yK0ikSvlmL8yJGQUq7af1Y6eh+msgjnJgR+uHLzWoJAB2cu6
nYEjTHn9aOoEFXbj2ikyTE2MzbY9Nm5d5qM168lDNchR17q0nsbDz2QweW1DXkc=
=kw2P
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.