Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass

["Steven M. Christey" <coley () linus mitre org>]

On Wed, 5 Aug 2009, Matthias Andree wrote:

> - for this problem class (NUL in CN/subjectAltName allows impersonation of
> other sites), add a sort of "umbrella CVE" that will reference the
> individual application CVEs. Would this work?

I am generally wary of assigning umbrella CVEs for implementation bugs
that lots of applications happen to contain at the same time.  That's like
giving a single CVE for "FTP server buffer overflow via long USER name" -
which has happened to at least 20 separate implementations in the past.

Generally, the only time that I find umbrella CVEs "tolerable" are during
disclosures that involve massive sets of test cases and lots of
implementations; the PROTOS SNMP disclosures from 2002(?) are the
canonical example.

An umbrella CVE for a fundamental design problem is a different story
because one "developer" made a mistake - the original designer.

So use CVE-2009-2666 for fetchmail (I'll fill it in later) and Tomas, even
if it results in dozens of CVEs, I suspect this is how we should go.

- Steve