oss-sec mailing list archives
Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Tue, 16 Nov 2010 11:02:02 -0500
Hi, On Mon, 2010-11-15 at 16:58 -0500, Steven M. Christey wrote:
Ouch, this is painful for a number of reasons. Maybe Python "should" get the CVE, but the decision to push the issue to application developers means that those developers will each have to provide fixes, and software consumers will have to track these related vulns at the application level. (One could make the same argument about fundamental design flaws in standards-based protocols, for which CVE generally assigns a single identifier, but those issues generally feel "different" to me. Quite logical, I know...) Anyway, I think we need to assign separate CVEs for each affected product as an instance of "an implementation not working around security-relevant design limitations of APIs" (which is consistent with the approach that CVE has taken with respect to the DLL hijacking / insecure library loading issues of the past couple months.)
Thanks for the clarification. Here are some more projects that need CVEs for this issue: libcloud: https://issues.apache.org/jira/browse/LIBCLOUD-55 https://bugs.launchpad.net/ubuntu/+source/libcloud/+bug/675217 Checkbox: https://bugs.launchpad.net/ubuntu/+source/checkbox/+bug/625076 Bazaar: https://bugs.edge.launchpad.net/bzr/+bug/651161 Thanks, Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Current thread:
- CVE Request -- Mercurial --Doesn't verify subject Common Name properly Jan Lieskovsky (Oct 08)
- <Possible follow-ups>
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Josh Bressers (Oct 11)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 14)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Steven M. Christey (Nov 15)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 16)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Matthias Andree (Nov 17)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly dave b (Nov 17)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 14)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Ben Laurie (Nov 16)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Ludwig Nussel (Nov 17)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly dave b (Nov 17)