Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names?

[Vincent Danen <vdanen () redhat com>]

* [2010-03-02 13:52:05 -0700] Vincent Danen wrote:

> Hi, Steve.  I'm confused about these three CVEs, particularly since
> CVE-2009-3297 was assigned to this issue (I suppose it would be more
> correct to have 3 CVEs for the issue, but I'm not sure then why
> CVE-2009-3297 was completely ignored unless you intend for it to be not
> used/duplicated to one of these?).
>
> I'm also confused on using a 2010-based name since our bugzilla entry is
> dated 2009-11-04, and Samba upstream has their reported dated
> 2009-10-28, so these should have received 2009-based names.
>
> We've used CVE-2009-3297 all over the place so it's pretty hard to miss.
> Looking at the references just for the samba issue (your CVE-2010-0787),
> all of the references except the git commits refer to CVE-2009-3297.
>
> Can you clarify why this was done?  CC'ing oss-security in case anyone
> else has noticed this as well.

Gah!  Sorry, I missed this other bit because I was looking on the
website and CVE-2009-3297 still says "** RESERVED **", but:

> Name: CVE-2009-3297
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3297
>
> ** REJECT **
>
> DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2010-0787,
> CVE-2010-0788, CVE-2010-0789.  Reason: this candidate was intended for
> one issue in Samba, but it was used for multiple distinct issues,
> including one in FUSE and one in ncpfs.  Notes: All CVE users should
> consult CVE-2010-0787 (Samba), CVE-2010-0788 (ncpfs), and
> CVE-2010-0789 (FUSE) to determine which ID is appropriate.  All
> references and descriptions in this candidate have been removed to
> prevent accidental usage.

Sorry for the extra noise, but I am still curious as to why the decision
was made to reject CVE-2009-3297 instead of just indicating it should
have been only used for samba and had the other 2 assigned individually?

--
Vincent Danen / Red Hat Security Response Team