[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Moving ahead

Hello all,

I believe that the comment Adam makes regarding CAN-1999-0014 should
mean that the description should be modified, not that the candidate
should be rejected.  Rejected, in my mind, means that there is no
vulnerability or that another CVE entry covers the vulnerability under
consideration.   Do I understand the meaning of Rejected and Modify
correctly?

later,
marty.

Adam Shostack wrote:
> 
> Let me just clarify that I meant candidates, not issues.
> 
> Further, those candidates which I have not commented on to date I
> ACCEPT.
> 
> Adam
> 
> On Tue, Jun 15, 1999 at 09:58:43AM -0400, Adam Shostack wrote:
> |
> | We have disagreement on a few issues; I'll suggest that Steve put
> | those forth one at a time for consideration.  I'll also say that to do
> | a proper review job, the list was too long; I didn't start it several
> | times because I wanted to go through it in one go, and thus my
> | response was delayed.
> |
> | In addition, I want to raise three more, now that I've finished
> | looking into them.
> |
> | CAN-1999-0014 we have insufficient data if a new CDE dtappgather bug
> | comes out to determine if its new or a re-invention. (REJECT)
> |
> | CAN-1999-0032 the mention of (lp) is misleading.  The problem was with
> | the BSD lpr family, not the SYSV lp family.  (MODIFY)
> |
> | CAN-1999-0099 the problem was demonstrated publicly through sendmail,
> | there is no reason to expect it could not be used through another
> | program.  Suggest phrasing:  "A buffer overflow in syslog which was
> | demonstrably exploitable via sendmail."  (MODIFY)
> |
Page Last Updated or Reviewed: May 22, 2007