Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 24 Oct 2014 16:02:53 -0400 (EDT)
From: cve-assign@...re.org
To: abn@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Duplicate Request: CVE-2013-4444 as a duplicate of CVE-2013-2185

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Red Hat Product Security handled this issue as CVE-2013-2185

In cases of disputes about the validity of a vulnerability with
respect to a specific threat model, it's sometimes possible to have
multiple CVEs.

https://bugzilla.redhat.com/CVE-2013-2185 says:

> A remote attacker able to supply a serialized instance of the
> DiskFileItem class, which will be deserialized on a server, could use
> this flaw to write arbitrary content ...
> 
> The Apache Tomcat team does not agree that this is a valid security
> flaw; they contend that an application performing untrusted
> deserialization is inherently insecure.

This suggests a completely general case in which the serialized
instance could come from an arbitrary untrusted source in an
application-specific way. Apparently, from the perspective of the
Apache Tomcat maintainer, they are not interested in recognizing the
completely general case as a vulnerability. Thus, from their
perspective, there are no affected versions.

The CVE-2013-4444 section of http://tomcat.apache.org/security-7.html
discusses a much more specific threat model. From the perspective of
the Apache Tomcat maintainer, this is recognized as a vulnerability
with the affected versions of 7.0.0 through 7.0.39.

Both parties apparently agree that changes such as:

 -public interface FileItem extends Serializable, FileItemHeadersSupport {
 +public interface FileItem extends FileItemHeadersSupport {

should have occurred. However, there isn't agreement on exactly what
is the motivation for making the change.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUSq9bAAoJEKllVAevmvmssaIIAKSliCKYS2sZMg5uANDmdCPs
Hz4lJ1iI6+NLWLrkd5Gu6AKVWCbLLRYHLj8H6hNMNEcw3qUqiT9PGP4NygsHJe4h
aqvV6WG6pMGxNn/NMOn+7Jn0NgjeeAcjmTEwxy45Qo7T/7Aw0znd3eKn6/kgkUPu
LzNvwW9SdqhqjBVVTsE0mIp+zeDoTUnQcYn8Fsu/lqqsyFga6+2YoOQKySpDH5sT
0QMivZVYHPr94ucQ4Ihafmt/bKzrCLfLymZfbQP991nfWyXMA0bjIHA32gHySJSg
gANZ3RGsFSR0Ftg4IudjPnPrQmh0f8tozfZmIJHFdJHA8A6C5suDtjhyn53iGfc=
=Ts5Q
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.