oss-sec mailing list archives
Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14)
From: Garth Mollett <gmollett () redhat com>
Date: Fri, 21 Feb 2014 12:14:26 +1100
On 02/20/2014 09:49 AM, David Jorm wrote:
Do some of these issue need a CVE assigned? Regards, SalvatoreIt looks to me as though at least some of these issues definitely need CVE IDs assigned. I reported SECURITY-105, and it is my opinion that this flaw needs a separate CVE ID to CVE-2013-7285. The Jenkins patch blocks DynamicProxyConverter from the Jenkins wrapper class XStream2, without changing the XStream library at all. This implements a less-general solution than the XStream patch for CVE-2013-7285, and the patch applies to a completely separate codebase (i.e. Jenkins itself,not XStream). Therefore it is my understanding that this flaw as it affects Jenkins qualifies for a unique CVE ID. When reporting this flaw to upstream, the Jenkins engineers agreed that it qualified for a unique CVE ID, and I offered to assign a CVE ID from the Red Hat CNA. This offer was refused, but then the advisory was released without a unique CVE ID, which is puzzling indeed. Could someone from MITRE please weigh in and assign CVE IDs as appropriate for these flaws?
Hi, Is there any movement on this? The original request for CVE's came to oss-sec on the 17th. Thanks.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14) Salvatore Bonaccorso (Feb 16)
- Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14) David Jorm (Feb 19)
- Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14) Garth Mollett (Feb 20)
- Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14) cve-assign (Feb 20)
- Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14) David Jorm (Feb 19)