mailing list archives
RE: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)
From: "Christey, Steven M." <coley () mitre org>
Date: Wed, 13 Feb 2013 17:07:06 +0000
We'll REJECT it.
Researchers in general should remain aware that bugs in security features do not necessarily constitute
vulnerabilities. And, as already implied in this thread - if functionality is broken but there is no attacker role, or
if the affected software is effectively placed into a more restricted "security policy" than intended, then this
behavior would be treated as a bug (or feature), not a vulnerability, so it would not receive a CVE.
From: Kurt Seifried [mailto:kseifried () redhat com]
Sent: Tuesday, February 12, 2013 11:34 PM
To: oss-security () lists openwall com
Cc: David Jorm; Christey, Steven M.
Subject: Re: [oss-security] CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier
incorrect (a different issue than CVE-2012-5783)
-----BEGIN PGP SIGNED MESSAGE-----
On 02/12/2013 06:20 PM, David Jorm wrote:
On 02/13/2013 10:29 AM, Kurt Seifried wrote:
Please use CVE-2012-6127 for this issue.
Ok I should have looked into this deeper, it looks like it may
not be a security issue but I'm not 100% certain, so for now I
will leave this, and if someone can show there is no security
impact I'll reject it. Sorry for the mixup.
This bug will cause valid certificates to be rejected, but not for
invalid certificates to be accepted. Please reject the CVE.
Please reject CVE-2012-6127, it is not a security issue.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
-----END PGP SIGNATURE-----