Re: CVE request: vulnerability in FreeRADIUS (OCSP)

[Josh Bressers <bressers () redhat com>]

Please assign this issue CVE-2011-2701. We can split that ID if more are
needed once we understand the issue.

Thanks.

-- 
    JB

----- Original Message -----
> On Tue, Jul 19, 2011 at 03:13:00PM +0200, Tomas Hoger wrote:
>
> > > Are the published information sufficient to get a CVE number for
> > > the
> > > issue?
> >
> > Was your intention to request a CVE for a still-to-remain-non-public
> > issue to be disclosed in the future, or actually make the issue
> > public?
>
> We plan to make the issue public as soon as we have a CVE and can
> publish
> our advisory. However, almost every detail of the vulnerability has
> been
> already discussed on this list.
> (Summary: the status of the certificate will not be checked)
>
> Thus, the patch does not reveal any further aspects of the
> vulnerability and
> the only reason that we do not want to publish it publicly is that the
> fact
> that it may be incomplete and/or introduce side effects because we do
> not have a complete test environment.
>
>
> > I'm CCing upstream (Alan DeKok), as it seems this thread may be
> > giving
> > out more info than expected. Alan, this is part of the following
>
> Good idea.
>
>
> p.s.
> Please include us in CC since we are not subscribed on the list.
>
> --
> DFN-CERT Services GmbH, https://www.dfn-cert.de/, Phone +49 40
> 808077-555
> Sitz/Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
> Sachsenstraße 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter
> Kossakowski