Re: Discussion: information leakage from server and client software - CVE/hardening/other?

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> we could for example have challenged CVE-2011-4083 for example saying
> that it is useful to us

Our perspective is that, on balance, that's a preferable way to
proceed. Probably very few people outside of Red Hat would understand
whether "private entitlement keys" tend to cause problems for
customers. If you had a situation where:

  - disclosure of an entitlement key didn't matter much
    because the key is node-locked to the hardware of
    a specific customer

  and

  - bugs sometimes caused customers to have a wrong key

then you probably wouldn't want a third party obtaining a CVE ID based
on a guess that "entitlement key" seems roughly the same as sending
the full contents of the /root/.ssh directory.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUNITCAAoJEKllVAevmvms/R0IAJuCOq/RlCFALooKjS9t8NsQ
o4anQNsySmh3YYB8yW8siqf2j0oOgL/yv2JIuz0YlMRO9wG58jz7Ef5mt3CHbNDf
jiaMca2237fcpWa1DWTYeYX9p3yNuiV+LulSNlT4HjF+1SCrprFbaciGACjgFrnk
74X0HNzai8I3TLZyKwo9Phy4hIfrC9j+j6TS0d84QjxpiM4rRmbm0ss1UaUlR918
a5Kk2oefMF/uD3w5HgOTcAd4QmpHpXS701a7ebDbOcasUTC0jIJEp886S07ZFZa6
SOvp8VCF6dEzPsqLlG/PHcOyRzbt0pkDyDz+H4IenxgJjFmnfLQyjSgnWSfpZNA=
=KayV
-----END PGP SIGNATURE-----