Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <DM2PR09MB027022D8FA55B820E2975AF0CCE80@DM2PR09MB0270.namprd09.prod.outlook.com>
Date: Wed, 9 Dec 2015 20:26:42 +0000
From: "Evans, Jonathan L." <jevans@...re.org>
To: Kurt Seifried <kseifried@...hat.com>, oss-security
	<oss-security@...ts.openwall.com>
CC: CVE ID Requests <cve-assign@...re.org>
Subject: RE: CVE for git issue - please use CVE-2015-7545

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are not certain if the assignment of CVE-2015-7545 is correct.  The vendor
may not officially support the "blindly enable recursive fetch" scenario, i.e.
the user is expected to accept the risk of executing a recursive fetch from an
untrusted source, and the change should be considered a security hardening
feature for the convenience of their users.

MITRE has been actively working with the upstream vendor to determine the
appropriate number of CVEs for the vulnerabilities.  There was no oss-security
post from us because the context of MITRE's work was related to previous private
communication from and to the upstream vendor.

In the future, we plan to respond quickly to requests like the initial one,
asking the requester for the appropriate information needed to assign a CVE ID.

- --
Jonathan Evans
CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWaI5KAAoJEL54rhJi8gl5WDsQAL1khrVZkPxjgxauyLhaaPKA
+zQogmqLzJmAlx6JNj5ehKNvSkPFX9J4TzJ7IyYdEiVaeoUvbWJHu+CCNfmsiEXv
jmMDCfMOTeHUhHBi0DaeAklspzN11a78m+y4LV1ixB2/75PRHapNR36Ff2OLB6L0
PDCW3Kwl0QBRWg+ezF4SeOfJNqCYUaat6oW16wgL33b1NTPveP7Iop0INHwb/ebd
UEak3vZTeHowT0IP0/5wbUyqEmYXONvUuXfRvLuQQzVL2qfValAN6KMbFq2mjYEm
SeGj9uNTBf16ATF/BboN3IWElBtGLfIwY3Rleu8NtMmKruR8rEP9tqDZKdnZI50K
+c6S3sdqlfzc8F2m99dGE5FuXe/qY0WfALo8vDgNs58zR5uh23rIIGZwgU4zxl32
V71ssQr/hbfxen8u3ZJ258bRVmhh8SFyykKznYdC0iq1Zf58oIwmUgja5AbNNkqI
39jeBeAVrdmmMIMrrw+hYDRRFcRXHRkGM95gMCSjBSHY68/duKfN+G3CIRntxtek
/Cu3IIy50FybOfOERdy+NBsQV8yK2LR+PXWXMmik0JgYMRXkwH6zSf5opbwGDWQb
0nI+HIKSUXdmjGHyVE8YqgeFcb52W9+EbdybuRkdbZq09rUWUr94FPjR73VNA8Yj
755moYSPJKuOLPJK33pi
=IV1v
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.