oss-sec mailing list archives
Re: CVE Request: Regression introduced in cacti with fix for CVE-2013-1435
From: Vincent Danen <vdanen () redhat com>
Date: Thu, 8 Aug 2013 14:16:39 -0600
* [2013-08-08 21:20:59 +0200] Salvatore Bonaccorso wrote:
Hi Kurt The fix for CVE-2013-1435[1] introduced a regression: [1] http://svn.cacti.net/viewvc?view=rev&revision=7393 It was reported in [2] and upstream proposed a fix [3] which was confirmed to work by two of the involved people. [2] http://sourceforge.net/mailarchive/message.php?msg_id=31262707 [3] http://sourceforge.net/mailarchive/message.php?msg_id=31262712 The corresponding svn commits should be the following: [4] http://svn.cacti.net/viewvc?view=rev&revision=7408 [5] http://svn.cacti.net/viewvc?view=rev&revision=7409 [6] http://svn.cacti.net/viewvc?view=rev&revision=7413 Does this need a follow-up CVE assignment for the regression part introduced?
My understanding would be no. A follow-up CVE would be assigned if it a) didn't fix the underlying security issue (it does) or b) introduced a new security issue (it doesn't). Botching the fix so that _functionality_ no longer works would not be grounds for another CVE (although anyone backporting these would surely want the additional fixes). --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE Request: Regression introduced in cacti with fix for CVE-2013-1435 Salvatore Bonaccorso (Aug 08)
- Re: CVE Request: Regression introduced in cacti with fix for CVE-2013-1435 Vincent Danen (Aug 08)