oss-sec mailing list archives

Re: CVE Request (nagios)

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 16 Dec 2008 21:18:20 -0500 (EST)


On Thu, 11 Dec 2008, Jan Lieskovsky wrote:

  I can't follow this. Nagios 3.0.5 should fix two issues:


Neither can I.  I'm not sure if we need to clean up the CVE descriptions
or not.

Note that general CVE practice is - if you have vuln X in version 1, and
you don't completely fix X, then we give a separate CVE for version 2.

In this case, I'd probably want to modify CVE-2008-5028 to say it's
related to "submission of external commands" which is in the 3.0.6
changelog, then refer to the original, pre-3.0.5 CSRF as the "Tim
Starling" bug or something like that.

- Steve

Current thread:

Re: CVE Request (nagios), (continued)
- - - Re: CVE Request (nagios) Andreas Ericsson (Dec 08)
    - Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
    - Re: CVE Request (nagios) Jan Lieskovsky (Dec 08)
    - Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
    - Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
    - Re: CVE Request (nagios) Eygene Ryabinkin (Dec 10)
    - Re: CVE Request (nagios) Andreas Ericsson (Dec 10)
    - Re: CVE Request (nagios) Eygene Ryabinkin (Dec 10)
    - Re: CVE Request (nagios) Andreas Ericsson (Dec 10)
    - Re: CVE Request (nagios) Jan Lieskovsky (Dec 11)
    - Re: CVE Request (nagios) Steven M. Christey (Dec 16)