oss-sec mailing list archives
Re: CVE Request: Security issue in backuppc
From: Kurt Seifried <kseifrie () redhat com>
Date: Wed, 04 Jan 2012 13:50:47 -0700
On 01/04/2012 11:11 AM, Steven M. Christey wrote:
All, A new CVE is needed for this. The new variant SHOULD receive a new CVE because there's a different researcher (specifically, Jamie) and effectively a different version (probably upstream; also, many distros may have already fixed the original CVE-2011-3361). Blame the CVE content-decision documentation (and me, its author). The current version can cause confusion, people can interpret it in different ways, plus there are gaps. It needs some serious restructuring. (This is why the document's not public.) Kurt (and other CNAs): the documentation problem is that ADT4 says "MERGE", which seems to imply that you should stop, but really you should continue to ADT5, which is about splitting based on different researchers. ADT4 is there to explicitly cover places where somebody might reasonably feel like splitting, but CVE does not. There are also a couple other decision points that aren't documented yet. You should generally fall through *all* the decision points, not just the first point that suggests split/merge/consult. That is, all of ADT1 through ADT5 should be examined when deciding how to group issues. - Steve
Ahhh.. I sort of wondered about that but never thought to ask. Derp! You should probably update that document and post it prominently somewhere, I know it has helped me a lot. -- -- Kurt Seifried / Red Hat Security Response Team
Current thread:
- Re: CVE Request: Security issue in backuppc Moritz Mühlenhoff (Jan 03)
- Re: CVE Request: Security issue in backuppc Kurt Seifried (Jan 03)
- Re: CVE Request: Security issue in backuppc Moritz Muehlenhoff (Jan 04)
- Re: CVE Request: Security issue in backuppc Steven M. Christey (Jan 04)
- Re: CVE Request: Security issue in backuppc Kurt Seifried (Jan 04)
- Re: CVE Request: Security issue in backuppc Moritz Muehlenhoff (Jan 04)
- Re: CVE Request: Security issue in backuppc Kurt Seifried (Jan 04)
- Re: CVE Request: Security issue in backuppc Kurt Seifried (Jan 03)