Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150704165840.0EE836C0490@smtpvmsrv1.mitre.org>
Date: Sat,  4 Jul 2015 12:58:40 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: please REJECT CVE-2015-3199

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://projects.theforeman.org/issues/10469
> 
> "This was reported by Ori Rabin to foreman-security (thanks!) and a CVE
> identifier was filed under CVE-2015-3199, but it turned out this does
> not affect any released upstream version."
> 
> so it was effectively in an unreleased version, thus no need for CVE.

The scope of CVE isn't strictly limited to released upstream versions.
As mentioned at the bottom of the
http://openwall.com/lists/oss-security/2015/01/04/7 post, some
products sometimes have CVEs for this type of unreleased software,
whereas others do not. We feel that Foreman is probably in the latter
category.

http://theforeman.org/contribute.html and 10469 suggest that the
incorrect code was found only on the develop branch:
  
    - Master - latest stable release code
    - Develop - new features and bug fixes

    Master is frozen between major releases.

http://theforeman.org/introduction.html doesn't suggest that anyone
ships a product using code from the Foreman develop branch, but we
don't want to immediately rule out that possibility. This seems to be
a good choice for moving to the REJECT state, and we will most likely
do that next week unless there's an important reason to keep
CVE-2015-3199.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVmBAvAAoJEKllVAevmvmsXS4IAMYPSg8K5gDoSq+LV5lTS+na
HTpCQP4POO8NY8YcTQnKY4bnZOF13CXZqUzGxpUiw1uwJlH3yeJI6c3J/EFfAC/s
jnZgLBQ4PgDu3wk3gtIwfQROFQPz07TsAAKZj36mT/v7zA/7UhgVjfqCK9iZxwGd
ejN8Xcfz6ATKyNZvuxxPblqhb4FSdl2cyaQ87VRUVgDcdWnHrcWlimyEN9muNjX6
zeBIYohDVnkkktOu3OeKMkKOyH1ejHNJ3zxcKZMbUpo9fwmRrlssLEslqNbEzIWq
Iv+Pruul3SIENuUVpZgYjq6fbB1sbRuGKBHzxApqVKLZOAXkFAXuPyYf4WqJYlc=
=jqn1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.