oss-sec mailing list archives
Re: Re: Socat security advisory 7 - Created new 2048bit DH modulus
From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 2 Feb 2016 12:27:46 -0800
On Tue, Feb 02, 2016 at 02:36:06PM -0500, cve-assign () mitre org wrote:
useful. Our question is about whether anyone needs two CVE IDs. A CVE ID must be for a specific vulnerability (although we realize that the CVE ID may often be used to track the update). Here, there can be a CVE ID for the "was not prime" finding in the sense that p is supposed to be prime, and a non-prime value is an implementation error regardless of any other details of the situation. With the currently published information, we do not see a way to generate a second CVE ID for something related to "no indication of how these parameters were chosen" or "cannot be ruled out."
Ubuntu won't issue an Ubuntu Security Notice for the socat issue (because socat is in our "universe" archive); however, we wouldn't find it useful to have a second CVE assigned for "no indication of how these parameters were chosen" or "cannot be ruled out". This is one area where distro needs don't 100% align with MITRE's: one CVE per line of code is sufficient for us but not for MITRE. When in doubt I'd suggest to limit the number of CVEs issued just on the principle of less work for everyone. When it's clear, of course, do what you must; we're lucky we get to use CVEs to identify issues, and some slight duplication (from our perspective) is a price well worth paying to use CVE's many positive benefits. Thanks
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Socat security advisory 7 - Created new 2048bit DH modulus Gerhard Rieger (Feb 01)
- Re: Socat security advisory 7 - Created new 2048bit DH modulus cve-assign (Feb 02)
- Re: Re: Socat security advisory 7 - Created new 2048bit DH modulus Seth Arnold (Feb 02)
- Re: Socat security advisory 7 - Created new 2048bit DH modulus Andreas Stieger (Feb 04)
- <Possible follow-ups>
- Re: Socat security advisory 7 - Created new 2048bit DH modulus cve-assign (Feb 03)
- Re: Socat security advisory 7 - Created new 2048bit DH modulus cve-assign (Feb 02)