oss-sec mailing list archives
Re: Re: CVE request: libressl before 2.0.2 under linux PRNG failure
From: Stuart Henderson <stu () spacehopper org>
Date: Thu, 31 Jul 2014 10:59:07 +0100
On 2014/07/30 20:08, cve-assign () mitre org wrote:
I see a number of web pages relating to this issue are mentioning that it has already been assigned CVE-2014-2970, can anyone throw light on this?At MITRE, we (obviously) know where CVE-2014-2970 came from, and we'll send information here about the resolution as soon as it happens.We've since learned that nobody ever assigned CVE-2014-2970 to that LibreSSL issue, and apparently every appearance of CVE-2014-2970 in "a number of web pages" was ultimately the result of a miscommunication outside of MITRE. A complication is that CVE-2014-2970 had been assigned to a different issue, and that issue isn't yet public. What you should do is: - if you're part of the embargo audience that has been using CVE-2014-2970 for a private vulnerability, use CVE-2014-5139 instead - if you're not part of that embargo audience, all we can suggest is that it's very likely that you'll see a public disclosure of CVE-2014-5139 in the future
Interesting, thanks. So how does a reporter get hold of an embargoed CVE number and mistakenly apply it to libressl? It seems strange to have pulled this number out of thin air. And how long do these embargoes last, this seems a relatively long time to be sitting on a bug which is important enough to have been embargoed. I await the announcement of CVE-2014-5139 with interest!
Current thread:
- CVE request: libressl before 2.0.2 under linux PRNG failure Hanno Böck (Jul 16)
- Re: CVE request: libressl before 2.0.2 under linux PRNG failure cve-assign (Jul 16)
- Re: Re: CVE request: libressl before 2.0.2 under linux PRNG failure Stuart Henderson (Jul 18)
- Re: CVE request: libressl before 2.0.2 under linux PRNG failure cve-assign (Jul 18)
- Re: CVE request: libressl before 2.0.2 under linux PRNG failure cve-assign (Jul 30)
- Re: Re: CVE request: libressl before 2.0.2 under linux PRNG failure Stuart Henderson (Jul 31)
- Re: Re: CVE request: libressl before 2.0.2 under linux PRNG failure Stuart Henderson (Aug 06)
- Re: Re: CVE request: libressl before 2.0.2 under linux PRNG failure Stuart Henderson (Jul 18)
- Re: CVE request: libressl before 2.0.2 under linux PRNG failure cve-assign (Jul 16)