oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly

From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Tue, 16 Nov 2010 11:02:02 -0500
Hi,

On Mon, 2010-11-15 at 16:58 -0500, Steven M. Christey wrote:

Ouch, this is painful for a number of reasons.

Maybe Python "should" get the CVE, but the decision to push the issue to 
application developers means that those developers will each have to 
provide fixes, and software consumers will have to track these related 
vulns at the application level.

(One could make the same argument about fundamental design flaws in 
standards-based protocols, for which CVE generally assigns a single 
identifier, but those issues generally feel "different" to me.  Quite 
logical, I know...)

Anyway, I think we need to assign separate CVEs for each affected product 
as an instance of "an implementation not working around security-relevant 
design limitations of APIs" (which is consistent with the approach that 
CVE has taken with respect to the DLL hijacking / insecure library loading 
issues of the past couple months.)


Thanks for the clarification. Here are some more projects that need CVEs
for this issue:

libcloud:
https://issues.apache.org/jira/browse/LIBCLOUD-55
https://bugs.launchpad.net/ubuntu/+source/libcloud/+bug/675217

Checkbox:
https://bugs.launchpad.net/ubuntu/+source/checkbox/+bug/625076

Bazaar:
https://bugs.edge.launchpad.net/bzr/+bug/651161


Thanks,

Marc.


-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/
Previous By Date Next
Previous By Thread Next

Current thread: