mailing list archives
Re: CVE Request: Regression introduced in cacti with fix for CVE-2013-1435
From: Vincent Danen <vdanen () redhat com>
Date: Thu, 8 Aug 2013 14:16:39 -0600
* [2013-08-08 21:20:59 +0200] Salvatore Bonaccorso wrote:
The fix for CVE-2013-1435 introduced a regression:
It was reported in  and upstream proposed a fix  which was
confirmed to work by two of the involved people.
The corresponding svn commits should be the following:
Does this need a follow-up CVE assignment for the regression part
My understanding would be no. A follow-up CVE would be assigned if it
a) didn't fix the underlying security issue (it does) or b) introduced a
new security issue (it doesn't).
Botching the fix so that _functionality_ no longer works would not be
grounds for another CVE (although anyone backporting these would surely
want the additional fixes).
Vincent Danen / Red Hat Security Response Team