Re: CVE-2014-0021: chrony traffic amplification in cmdmon protocol

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Is this not a same/similar case?

There are many UDP protocols in which the reply traffic is larger than
the request traffic. A vendor can handle this in several possible
ways, including (for example) a statement that the protocol
implementation details were intentional, and that adverse effects are
a network-operations problem, not a software problem. CVE is about
software mistakes. So, at least at the moment, we are looking for
vendors who characterize the issue as a software mistake, and fix it.

In the chronyd case, this seems likely, so we don't expect any
long-term issue with including CVE-2014-0021 in CVE.

There may well be other reasonable approaches. An example approach
might be making CVE assignments for any protocol implementation that's
similar to one that already has a CVE (e.g., similar to ntpd). We're
not currently using that approach.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS2dYfAAoJEKllVAevmvmsCpcH/AlwpzADNsdZtfJsvLBontoq
Btpl9yry86vVt9HKks3/C4C8l2agPkFKj466TxRFAnRtqgaG5zbxex4CRk09EEmB
yMOlzRTWSYSC4UHH3nsVvNJsikuMR0N3vcdlVqoIfnfTOWyD9DwPgo/OSABm+dMa
vcQmw6JHugTL4ZXju1fKnqbu44QePKc96LXlrcqE4z4AWbzyr3Fc6A2kRWb5g7qt
40ltpwG2vntUzXqSyIN2IvY1OA3wHy8OOh9Hh/a8LXqjqyasWvxSUHNvSF4H/Ezo
a/Rmsq5+x+41Ai3GdYlsH6TSf2B7HMRYMgPKr0FQ/jn6k340NdCzi6WlJpPdPmc=
=Qby5
-----END PGP SIGNATURE-----