Re: CVE request for VDSM denial of service

[Kurt Seifried <kseifried () redhat com>]

On 08/10/14 03:34 AM, Sven Kieske wrote:
> On 08/10/14 09:34, Wade Mealing wrote:
> > Gday,
> >
> > The issue (outlined here https://bugzilla.redhat.com/show_bug.cgi?id=1148688 ) allows
> > an attacker to hold open an ssl connection effectively denying new connections the
> > ability to complete any new ssl connections.
> >
> > I would like a CVE number to assign to this issue.  Please assign me one.
>
> Doesn't RH assign it's own CVEs anymore?

We do, but for public issues we prefer to ask here sometimes so as to
prevent duplicate assignments (e.g. it is possible for a race condition
to occur, Red Hat and Mitre both see something new, we see no CVE for it
so we both assign one).

I believe this one is
https://www.mail-archive.com/vdsm-patches () lists fedorahosted org/msg68420.html
(but don't quote me, wmealing is in .au and asleep so I can't confirm).

> I also wonder why this bug wasn't reported to upstream
> (wrong BZ "Product" at least it should get cloned to ovirt).

Because we learned about it from an upstream source.



-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature