oss-sec mailing list archives
Re: CVE request
From: Solar Designer <solar () openwall com>
Date: Mon, 20 Apr 2015 06:24:27 +0300
Sorry for bikeshedding, but: On Sun, Apr 19, 2015 at 10:21:00PM -0400, Dan McDonald wrote:
Illumos bug #5853 (https://www.illumos.org/issues/5853), now fixed, can be exploited to escalate privilege. It's not easy to do so, but it is enough to cause concern and ask for a CVE number.
http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines "When applicable, the message Subject must include the name and version(s) of affected software, and vulnerability type. For example, a Subject saying only "CVE request" or "CVE-2099-99999" is not appropriate, whereas "CVE request - Acme Placeholder 1.0 buffer overflow" or "CVE-2099-99999 - Acme Placeholder 1.0 buffer overflow" would be OK."
At least two distros already have this fix in place. I'd appreciate a CVE number (and if possible a way to request these on a non-public list... sorry if I missed the FAQ).
If you're OK with posting a CVE request in public, please do so - like you did this time (just with a better Subject). For other cases, see: http://www.openwall.com/lists/oss-security/2015/04/13/6 and the followups to that message (click "thread-next"). Alexander
Current thread:
- CVE request Dan McDonald (Apr 19)
- Re: CVE request Solar Designer (Apr 19)
- Re: CVE request - illumos cve-assign (Apr 20)
- Re: CVE request - illumos Dan McDonald (Apr 20)