oss-sec mailing list archives
Re: CVE request: libressl before 2.0.2 under linux PRNG failure
From: cve-assign () mitre org
Date: Wed, 30 Jul 2014 20:08:45 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I see a number of web pages relating to this issue are mentioning that it has already been assigned CVE-2014-2970, can anyone throw light on this?
At MITRE, we (obviously) know where CVE-2014-2970 came from, and we'll send information here about the resolution as soon as it happens.
We've since learned that nobody ever assigned CVE-2014-2970 to that
LibreSSL issue, and apparently every appearance of CVE-2014-2970 in "a
number of web pages" was ultimately the result of a miscommunication
outside of MITRE.
A complication is that CVE-2014-2970 had been assigned to a different
issue, and that issue isn't yet public. What you should do is:
- if you're part of the embargo audience that has been using
CVE-2014-2970 for a private vulnerability, use CVE-2014-5139
instead
- if you're not part of that embargo audience, all we can suggest is
that it's very likely that you'll see a public disclosure of
CVE-2014-5139 in the future
Also:
- MITRE is not part of the embargo audience and does not know what
the CVE-2014-5139 vulnerability is
- MITRE has separately communicated the CVE ID change to the
organization that originally assigned CVE-2014-2970
Soon, the MITRE CVE web site will have this for CVE-2014-2970:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason:
This candidate is a duplicate of CVE-2014-5139, and has also been used
to refer to an unrelated topic that is currently outside the scope of
CVE. This unrelated topic is a LibreSSL code change adding
functionality for certain process-bifurcation use cases that might
arise in future LibreSSL-based applications. There is no CVE ID
associated with this LibreSSL code change. As of 20140730,
CVE-2014-5139 is an undisclosed vulnerability in a different product,
with ongoing vulnerability coordination that had previously used the
CVE-2014-2970 ID.
The MITRE CVE web site entry for CVE-2014-5139 will have the details
of the issue after the public disclosure happens.
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJT2YhdAAoJEKllVAevmvms8ucH/RR5XB+vo3gsdgZttTYTxC9G
jYODUmi6BBg3FwQSPiqny8DWbvSvZhZaNoDKrf8EdfJthc9dSlJ1hoFogblqj79U
meYqvTWFdaVkGPiBFbX293g7J/VDQVpcXxYI24Kc+MR8OAfu4jV9imeZZ62iouuk
4BbhvtUD2yFqag5S3YUqhFfo3FIOQVYyh+M52927HzQSTDheUWCapHZfUP7lOYAL
vQeyDSayP5QNcLpjeKhshS5/L1aTDOMY4KreYDSvs/0+wgvE+FexqyjwzeoSpyGr
HHkrIyuIIHPT3aTbSvaxAgso51fPRKCEZsR7eh2XFnePEi+Cq6KysTQhASC1iWM=
=3pTv
-----END PGP SIGNATURE-----
Current thread:
- CVE request: libressl before 2.0.2 under linux PRNG failure Hanno Böck (Jul 16)
- Re: CVE request: libressl before 2.0.2 under linux PRNG failure cve-assign (Jul 16)
- Re: Re: CVE request: libressl before 2.0.2 under linux PRNG failure Stuart Henderson (Jul 18)
- Re: CVE request: libressl before 2.0.2 under linux PRNG failure cve-assign (Jul 18)
- Re: CVE request: libressl before 2.0.2 under linux PRNG failure cve-assign (Jul 30)
- Re: Re: CVE request: libressl before 2.0.2 under linux PRNG failure Stuart Henderson (Jul 31)
- Re: Re: CVE request: libressl before 2.0.2 under linux PRNG failure Stuart Henderson (Aug 06)
- Re: Re: CVE request: libressl before 2.0.2 under linux PRNG failure Stuart Henderson (Jul 18)
- Re: CVE request: libressl before 2.0.2 under linux PRNG failure cve-assign (Jul 16)