[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Mozilla improper CVE assignment, does not conform to CNA rules
- To: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Subject: Mozilla improper CVE assignment, does not conform to CNA rules
- From: jericho <jericho@attrition.org>
- Date: Wed, 19 Apr 2017 19:28:45 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Delivery-date: Thu Apr 20 07:46:03 2017
- Importance: high
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
Board,We see this from time-to-time across many CNAs. I don't know if this has happened with Mozilla in the past, and I don't have time to dig into my notes. But with one of today's Mozilla advisories, they assigned a single new CVE ID to represent three other distinct issues in third-party code, that already had CVE IDs. They even go so far as to quote the prior IDs.
If this is not the case, then it certainly is confusing to Mozilla consumers and CVE stakeholders.
Brian -- https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/ CVE-2017-5437: Vulnerabilities in Libevent library DescriptionThree vulnerabilities were reported in the Libevent library that allow for out-of-bounds reads and denial of service (DoS) attacks: CVE-2016-10195, CVE-2016-10196, and CVE-2016-10197. These were fixed in the Libevent library and these changes were ported to Mozilla code.
- Follow-Ups:
- Re: Mozilla improper CVE assignment, does not conform to CNA rules
- From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- Re: Mozilla improper CVE assignment, does not conform to CNA rules
- From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- Re: Mozilla improper CVE assignment, does not conform to CNA rules
- Prev by Date: Re: MITRE can now accept CVE ID publication notifications formatted in JSON
- Next by Date: Re: Microsoft CNA assignment issues for April
- Previous by thread: CVE Board Meeting Minutes - 5 April 2017
- Next by thread: Re: Mozilla improper CVE assignment, does not conform to CNA rules
- Index(es):
