Re: Qt SSL endless loop

[Vincent Danen <vdanen () redhat com>]

* [2010-08-20 16:56:02 -0400] Steven M. Christey wrote:

> Just to close this up.  I have actually preserved CVE-2010-2621 and 
> have marked CVE-2010-2533 as a duplicate, which is contrary to what 
> Vincent said.

Bah, just re-read the below thing and you're entirely right, and this
was what I meant (looking at our bug, we never used 2533, and left 2621
as it was).  My intention was to note the newly _assigned_ one as a dupe
and I was apparently concentrating on the larger number when I wrote the
response.

Sorry about that, that probably created a healthy dose of confusion.

> MITRE is ultimately the authority on which CVE should be rejected 
> when duplicates arise.  See 
> http://cve.mitre.org/cve/editorial_policies/duplicates.html for the 
> criteria that I generally follow (every once in a while, a behemoth 
> "authoritative source" wins, though generally there is an expectation 
> that their ID will become more ubiquitous in the future anyway.)

No problem at all.  Thanks for the clarification here Steve.

> On Mon, 19 Jul 2010, Vincent Danen wrote:
>
> > * [2010-07-19 10:49:36 +0200] Ludwig Nussel wrote:
> >
> > > Vincent Danen wrote:
> > > > * [2010-07-16 11:19:09 -0400] Josh Bressers wrote:
> > > >
> > > > > Please use CVE-2010-2533
> > > >
> > > > Wasn't this already assigned CVE-2010-2621?
> > > >
> > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2621
> > > >
> > > > It links to the same advisory (qtsslame-adv.txt) and that only seems to
> > > > be reporting one single problem.
> > >
> > > Oops, indeed. We've overlooked that assignment. Sorry for the confusion :-/
> >
> > No problem.  We need to discard the new one then (discard CVE-2010-2621
> > as a dupe of CVE-2010-2533).

--
Vincent Danen / Red Hat Security Response Team