oss-sec mailing list archives
Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names?
From: Vincent Danen <vdanen () redhat com>
Date: Tue, 2 Mar 2010 13:57:50 -0700
* [2010-03-02 13:52:05 -0700] Vincent Danen wrote:
Hi, Steve. I'm confused about these three CVEs, particularly since CVE-2009-3297 was assigned to this issue (I suppose it would be more correct to have 3 CVEs for the issue, but I'm not sure then why CVE-2009-3297 was completely ignored unless you intend for it to be not used/duplicated to one of these?). I'm also confused on using a 2010-based name since our bugzilla entry is dated 2009-11-04, and Samba upstream has their reported dated 2009-10-28, so these should have received 2009-based names. We've used CVE-2009-3297 all over the place so it's pretty hard to miss. Looking at the references just for the samba issue (your CVE-2010-0787), all of the references except the git commits refer to CVE-2009-3297. Can you clarify why this was done? CC'ing oss-security in case anyone else has noticed this as well.
Gah! Sorry, I missed this other bit because I was looking on the website and CVE-2009-3297 still says "** RESERVED **", but:
Name: CVE-2009-3297 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3297 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-0787, CVE-2010-0788, CVE-2010-0789. Reason: this candidate was intended for one issue in Samba, but it was used for multiple distinct issues, including one in FUSE and one in ncpfs. Notes: All CVE users should consult CVE-2010-0787 (Samba), CVE-2010-0788 (ncpfs), and CVE-2010-0789 (FUSE) to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Sorry for the extra noise, but I am still curious as to why the decision was made to reject CVE-2009-3297 instead of just indicating it should have been only used for samba and had the other 2 assigned individually? --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names? Vincent Danen (Mar 02)
- Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names? Vincent Danen (Mar 02)
- Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names? Steven M. Christey (Mar 03)
- Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names? Vincent Danen (Mar 03)