Re: Vulnerabilitites in Debian F*EX <= 20100208 and F*EX 20111129-2.

["Steven M. Christey" <coley () rcf-smtp mitre org>]

Nico Golde said:

> > > > Can someone please assign a CVE id to this? Given that all of
> > > > the vulnerable input parameters are in the fup component, I
> > > > guess one id should be sufficient.

We actually need two CVEs here.

Which components the vulnerabilities are in, is rarely relevant for 
deciding how many CVEs to assign.  Much more critical is which versions 
are affected.  The original researcher provided two advisories for 2 
different versions.  So even though "fup" is affected, we mould need to 
SPLIT if there are some items/vectors/issues that affect different 
versions than others (hint: we will SPLIT.)

Kurt said:

> Please use CVE-2012-0869 for this issue.

Here are the breakdowns for the two advisories/versions:

F*EX <= 20100208
  fup / from parameter
  fup / to parameter
  fup / id parameter

F*EX 20111129-2
  fup / id parameter


So, based on the original report, we have:

  20100208 only:
    fup / from
    fup / to

  20100208 *and* 20111129-2
    fup / id

So, we MERGE the "fup" and "from" vectors since they affect the same 
version, and we SPLIT these from the "id" vector. (For the incredibly 
detail-oriented: whether the parameters come via GET or POST methods is 
irrelevant for CVE.)

Now, the question is which issue we link with CVE-2012-0869.  Since Debian 
bug 660621 focuses on the id parameter, and that paremeter affects both 
listed versions, I guess it makes sense to focus CVE-2012-0869 on the id 
parameter.

I've assigned CVE-2012-1293 for the "from" and "to" parameters that are 
only listed for 20100208.

- Steve