Re: CVE request: denial of service flaw in firebird

["Vincent Danen" <vdanen () redhat com>]

On 01/03/2015, at 21:32 PM, Salvatore Bonaccorso wrote:

> Hi,
>
> On Sat, Jan 03, 2015 at 06:59:18PM -0500, cve-assign () mitre org wrote:
> > > I've not seen a CVE for this; could one be assigned?  Thanks.
> > >
> > > It was found that an unauthenticated remote attacker could send a
> > > malformed network packet to a firebird server, which would cause the
> > > server to crash.
> > >
> > > http://www.firebirdsql.org/en/news/security-updates-for-v2-1-and-v2-5-series-66011/
> > > http://tracker.firebirdsql.org/browse/CORE-4630
> > > http://sourceforge.net/p/firebird/code/60331/
> > > https://bugs.mageia.org/show_bug.cgi?id=14726
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1172445
> >
> > Use CVE-2014-9492.
>
> I have a question back on this assignment. Initially CORE-4630 did not
> had a CVE reference in the title at leat afair, but some time ago the
> reference to CVE-2014-9323 appeared.
>
> We used then this reference in Debian to track the issue, but also
> others have it:
>
> https://bugzilla.suse.com/show_bug.cgi?id=910653
> https://bugzilla.redhat.com/show_bug.cgi?id=1172445
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9323
> https://security-tracker.debian.org/tracker/CVE-2014-9323
>
> Should CVE-2014-9492 be rejected and CVE-2014-9323 to be still
> continued to be used?

Thanks for this, Salvatore.  I hadn't noticed that the CVE was assigned. 
 I think 9492 should be rejected; I don't know where 9323 came from but 
we have already released errata with that CVE name for Fedora and it 
looks like many others (as you noted) are also using 9323.



--
Vincent Danen / Red Hat Product Security