Home page logo

oss-sec logo oss-sec mailing list archives

Re: Vulnerabilitites in Debian F*EX <= 20100208 and F*EX 20111129-2.
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Thu, 23 Feb 2012 13:10:40 -0500 (EST)

Nico Golde said:

Can someone please assign a CVE id to this? Given that all of
the vulnerable input parameters are in the fup component, I
guess one id should be sufficient.

We actually need two CVEs here.

Which components the vulnerabilities are in, is rarely relevant for deciding how many CVEs to assign. Much more critical is which versions are affected. The original researcher provided two advisories for 2 different versions. So even though "fup" is affected, we mould need to SPLIT if there are some items/vectors/issues that affect different versions than others (hint: we will SPLIT.)

Kurt said:

Please use CVE-2012-0869 for this issue.

Here are the breakdowns for the two advisories/versions:

F*EX <= 20100208
  fup / from parameter
  fup / to parameter
  fup / id parameter

F*EX 20111129-2
  fup / id parameter

So, based on the original report, we have:

  20100208 only:
    fup / from
    fup / to

  20100208 *and* 20111129-2
    fup / id

So, we MERGE the "fup" and "from" vectors since they affect the same version, and we SPLIT these from the "id" vector. (For the incredibly detail-oriented: whether the parameters come via GET or POST methods is irrelevant for CVE.)

Now, the question is which issue we link with CVE-2012-0869. Since Debian bug 660621 focuses on the id parameter, and that paremeter affects both listed versions, I guess it makes sense to focus CVE-2012-0869 on the id parameter.

I've assigned CVE-2012-1293 for the "from" and "to" parameters that are only listed for 20100208.

- Steve

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]