Re: CVE already assigned for 1026891?

[Vincent Danen <vdanen () redhat com>]

On Dec 20, 2013, at 8:28 AM, Marcus Meissner <meissner () suse de> wrote:

> On Wed, Dec 18, 2013 at 12:58:17PM -0700, Vincent Danen wrote:
> > On Dec 18, 2013, at 12:43 PM, cve-assign () mitre org wrote:
> >
> > > Signed PGP part
> > > http://www.openwall.com/lists/oss-security/2013/12/18/3 raises the
> > > question of whether there is a CVE assignment in
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1026891 already, in order
> > > to avoid a duplicate assignment. Our guess is that security issues
> > > tracked privately by Red Hat typically do have pre-assigned CVE IDs,
> > > so MITRE will delay a CVE assignment indefinitely.
> > >
> > > Although it would be great to know what CVE ID you have assigned,
> > > replying with something like "yes, it has a CVE ID, but it's only
> > > being shared with the embargo audience" would be quite useful as well.
> >
> > There is a CVE assigned to this, but based on what Sebastian wrote, I can’t tell if it’s the same issue so I’m 
> > hesitant to say what the CVE is in case it does end up being different.
> >
> > Sebastian, can you give me access to your bug?  Or did you intend to make it public?  I’m assuming that since you 
> > are asking about a CVE here, you maybe did not mean to keep it private?  Your other message said your bug contained 
> > upstream URLs (so maybe even pasting those here would be helpful).
> >
> > Once I can look at it, I can let you know for sure whether or not it is the same issue (and should then use the same 
> > CVE).
>
> I have moved the bug to our Security Incidents product, so it should be visible now.

I see it.  That should be CVE-2013-6418 as Murray had already indicated.

https://bugzilla.redhat.com/show_bug.cgi?id=1039801

-- 
Vincent Danen / Red Hat Security Response Team