oss-sec mailing list archives

Re: 2 CVE's to be rejected

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 09 Oct 2013 23:54:36 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/09/2013 11:35 PM, cve-assign () mitre org wrote:

The following two CVEs were used internally, one for an issue
that turns out not to be an issue (looong story) and one for an
issue with the same root cause as another (so duplicate). We
could in theory recycle them but I feel it safer to not reuse
them in case they leak out and cause confusion.

Please REJECT CVE-2013-1870 Please REJECT CVE-2013-4398


Our current process for rejecting as a duplicate requires that the 
REJECT description specify the duplicated CVE ID. Would you be able
to say which one (1870 or 4398) had the duplicate/same-root-cause 
situation, and the correct CVE ID for the vulnerability with that
root cause?

We would want this information even if the correct CVE ID still
refers to an embargoed issue.


The duplicate issue is still embargoed, the other one is also an
embargoed issue. I have made notes in our system to notify
oss-security/Mitre when they unembargo (so we'll announce the details
then).

In future should we hold CVE reject notifications until we can provide
the information as to why? I figured sooner was better (but I can also
see holding off until details can be released being a sane choice).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSVkEcAAoJEBYNRVNeJnmTUM0P/3CB2RG+KK4ZJXyoX9YJnwRR
Bb5E4Tyu7fVS/IDZFM+ULLf/pThhZEbtlf4x/iNjq5Ss4qapJpQ5DfUOfAWe5wUl
QVgCFLNKFVPgSpQdi5/DSWeJPCaYzTVxA5G7FCSIF1m7tOTyHHx2TCwaf2gQZaWZ
t1U3vaaM/PMH1Qkcs5vvTiwpB6DZEmPWx1K3sw3tEwH/ufZ5FUX7FF5RkVFiWUds
L0O3SWKWfF08B4sTxA9d0znNKwwQRl5OiKGKCcWavnED/Vt9TWXhAa/n68fcA7ny
+uBy3hzVDUSjB4PzssODzTmkGyoIvH7DeL801URr40E6vfc4YLYxdrPxIPsAUWvk
fCtDRJ9e6QbBOay2JN+AEJEPAuLFCxQo35pjCCNAG7x5FhnoTk+BtUgizWVeHRi8
MaF+jK/6dQX7eO0BklQL3EQvmqxvdOFuDzgIlFYTSkqoandks7JSZJc809hqzsYm
3kLW/RrpqXfyWWwiTGNmOunjIoisXGyh+uxNWy30PpoVm59mxkuvQQEbEiYDvwNq
6TfKQhFu6r22OooDwnlNgrAkUO9374dFqV4UvcBaDvKFTAqhoNBemUl+CMXFgfZ1
yOifSOqnlvpNh1pa8M/s22qGnVNuvlwJu0dAT6p40qMwurvpKJw7n4NUI1isAhgd
4u6y6uj/wdoTh49O9WC9
=yOvB
-----END PGP SIGNATURE-----

Current thread:

2 CVE's to be rejected Kurt Seifried (Oct 09)
- Re: 2 CVE's to be rejected cve-assign (Oct 09)
  - Re: 2 CVE's to be rejected Kurt Seifried (Oct 09)
    - RE: 2 CVE's to be rejected Christey, Steven M. (Oct 10)
    - Re: RE: 2 CVE's to be rejected Kurt Seifried (Oct 10)