oss-sec mailing list archives

Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names?

From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 3 Mar 2010 13:01:18 -0500 (EST)


On Tue, 2 Mar 2010, Vincent Danen wrote:

* [2010-03-02 13:05:28 -0500] nobody () redhat com via RT wrote:

Hi, Steve.  I'm confused about these three CVEs, particularly since
CVE-2009-3297 was assigned to this issue (I suppose it would be more
correct to have 3 CVEs for the issue, but I'm not sure then why
CVE-2009-3297 was completely ignored unless you intend for it to be not
used/duplicated to one of these?).


Sorry about not informing oss-security when I did this; I meant to.

CVE-2009-3297 has been rejected since it was used heavily for multipleissues that should have been assigned separate entries. People weren'tjust using CVE-2009-3297 for Samba, they were using it for fuse andothers.


This rejection has since been uploaded to the CVE site:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3297

Along with the three new CVEs:

CVE-2010-0787 (Samba)
CVE-2010-0788 (ncpfs)
CVE-2010-0789 (FUSE)

I try very hard to avoid doing this kind of split (and REJECT) except whenit seems like there will be a lot of confusion; I know how much work it isto clean these up in advisories and so on. I recognize that many peoplehave used CVE-2009-3297 for the Samba problem, but it's been used inDEBIAN:DSA-1989 for FUSE and FEDORA-2010-1145 for ncpfs, for example. Anadministrator who thinks that "CVE-2009-3297 is fixed" might have solvedthe ncp issue but still be vulnerable to the Samba issue.

I had originally asked oss-security for clarification on this, without ananswer:


http://www.openwall.com/lists/oss-security/2010/02/04/7

(recognizing that I'm the most guilty party for not answering...) butother situations forced me to clear this out.

I'm also confused on using a 2010-based name since our bugzilla entry is
dated 2009-11-04, and Samba upstream has their reported dated
2009-10-28, so these should have received 2009-based names.


I agree - this was an error on my part, so I apologize for the confusion.

- Steve

Current thread:

CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names? Vincent Danen (Mar 02)
- Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names? Vincent Danen (Mar 02)
- Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names? Steven M. Christey (Mar 03)
  - Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names? Vincent Danen (Mar 03)