Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE Request: Security issue in backuppc
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Wed, 4 Jan 2012 13:11:51 -0500 (EST)


A new CVE is needed for this. The new variant SHOULD receive a new CVE because there's a different researcher (specifically, Jamie) and effectively a different version (probably upstream; also, many distros may have already fixed the original CVE-2011-3361).

Blame the CVE content-decision documentation (and me, its author). The current version can cause confusion, people can interpret it in different ways, plus there are gaps. It needs some serious restructuring. (This is why the document's not public.)

Kurt (and other CNAs): the documentation problem is that ADT4 says "MERGE", which seems to imply that you should stop, but really you should continue to ADT5, which is about splitting based on different researchers. ADT4 is there to explicitly cover places where somebody might reasonably feel like splitting, but CVE does not. There are also a couple other decision points that aren't documented yet. You should generally fall through *all* the decision points, not just the first point that suggests split/merge/consult. That is, all of ADT1 through ADT5 should be examined when deciding how to group issues.

- Steve

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]