oss-sec mailing list archives
Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 5 Aug 2009 14:13:04 -0400 (EDT)
On Wed, 5 Aug 2009, Matthias Andree wrote:
- for this problem class (NUL in CN/subjectAltName allows impersonation of other sites), add a sort of "umbrella CVE" that will reference the individual application CVEs. Would this work?
I am generally wary of assigning umbrella CVEs for implementation bugs that lots of applications happen to contain at the same time. That's like giving a single CVE for "FTP server buffer overflow via long USER name" - which has happened to at least 20 separate implementations in the past. Generally, the only time that I find umbrella CVEs "tolerable" are during disclosures that involve massive sets of test cases and lots of implementations; the PROTOS SNMP disclosures from 2002(?) are the canonical example. An umbrella CVE for a fundamental design problem is a different story because one "developer" made a mistake - the original designer. So use CVE-2009-2666 for fetchmail (I'll fill it in later) and Tomas, even if it results in dozens of CVEs, I suspect this is how we should go. - Steve
Current thread:
- CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Matthias Andree (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Tomas Hoger (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Matthias Andree (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Steven M. Christey (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Tomas Hoger (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Matthias Andree (Aug 05)
- Re: "umbrella" CVE names (was: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass) Matthias Andree (Aug 21)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Tomas Hoger (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Matthias Andree (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Henri Salo (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Tomas Hoger (Aug 05)