[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Major outstanding CVE requests

To: oss-security <oss-security@lists.openwall.com>, CVE ID Requests<cve-assign@mitre.org>, cve-editorial-board-list<cve-editorial-board-list@lists.mitre.org>
Subject: Major outstanding CVE requests
From: Kurt Seifried <kseifried@redhat.com>
Date: Fri, 27 Nov 2015 13:41:54 -0700
Authentication-Results: spf=none (sender IP is 129.83.29.3)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=redhat.com;
Delivery-Date: Fri Nov 27 16:10:27 2015
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
SpamDiagnosticOutput: 1:2

So we have a number of PCRE issues that need CVE's and a git issue that needs a CVE (at this point we've actually shipped an update for it, most of these requests are more than a month old, and several are 2-3 months old. Red Hat needs CVE's for these, as do other vendors I'm sure. I know it's thanksgiving in the USA right now, but the backlog is becoming a problem. Can I have permission from Mitre to assign CVE's to these issues?

Git:

http://seclists.org/oss-sec/2015/q4/37

asked for Oct 5, pinged recently, still no answer.

PCRE:

======

https://blog.fuzzing-project.org/29-Heap-Overflow-in-PCRE.html

http://seclists.org/oss-sec/2015/q4/363

Appart from that a couple of other vulnerabilities found by other
people have been fixed in this release:
https://bugs.exim.org/show_bug.cgi?id=1672
Heap overflow in compile_regex
https://bugs.exim.org/show_bug.cgi?id=1515
Stack overflow in compile_regex
https://bugs.exim.org/show_bug.cgi?id=1667
Heap overflow in compile_regex

======

More PCRE:

======

http://seclists.org/oss-sec/2015/q4/364

The other unassigned issues already have open CVE requests:

https://bugs.exim.org/show_bug.cgi?id=1503
-> http://www.openwall.com/lists/oss-security/2015/05/31/5

https://bugs.exim.org/show_bug.cgi?id=1672
-> http://www.openwall.com/lists/oss-security/2015/08/24/1

https://bugs.exim.org/show_bug.cgi?id=1515
-> http://www.openwall.com/lists/oss-security/2015/05/31/4

https://bugs.exim.org/show_bug.cgi?id=1667
-> http://www.openwall.com/lists/oss-security/2015/08/05/3
======

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Prev by Date: Re: Regarding CVE assignments on oss-sec mailing list
Next by Date: Re: Major outstanding CVE requests
Prev by thread: RE: Regarding CVE assignments on oss-sec mailing list
Next by thread: Re: Major outstanding CVE requests
Index(es):
- Date
- Thread