Re: CVE Request New-djbdns: dnscache: potential cache poisoning

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> So, if original author says it's a flaw then it's a flaw, otherwise not?

Otherwise MITRE attempts to use the best available information in
deciding whether "security improvement" is a better categorization.
Across all types of products and problems, the original author is
generally allowed to admit that they made a mistake when writing the
code in a certain way.

> So now SipHash is 'the only' way to avoid hash collision ever?

At present, introducing SipHash is a type of patch that's very likely
to be considered when a software maintainer is responding to
hash-collision problems. Certainly other patch approaches are
possible. Not all code originated with an implicit functional
specification that the code would do a good job at resisting all types
of intentional hash-collision attacks. So, in general, when a
description of a new attack is published, any resulting patches can be
considered security improvements.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTBiraAAoJEKllVAevmvmskowH/i6JQKtvJttMqHORSRz78Q0b
cDs+ho9ha3IfW72JDESqpnuZN5MmD5RANj95h/kVuuwxRZQoaZuBz7TrcXqkJB5a
Jj4t/41o2/9MDtR+13w2EF4K2OHOVehiv+cH2uWOgTcxl0iY3frCpUXsl5uhMOX7
ComvccRVrKgG0U6kdQxQClKKrjvQ+9jXNM1lP1cQbyMtsk6wSbvw9AuC8KNAHoL/
IAWor0yu3GQ9fW/i5bnHJixQx9Yj32XcoiLkrYIxL7M8lB6TZ9SBw1PyWqWSEorc
2xPONazJ0TE5QEOpMwgaJrhSQyznQFQQfn4aWbyrgfjC05K0VE/5bsfssnRCm8A=
=Ycsb
-----END PGP SIGNATURE-----