[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CVENEW] New CVE CANs: 2017/04/23 19:00 ; count=1



MITRE,

This doesn't work in the big picture of CVE.

On Sun, 23 Apr 2017, cve@mitre.org wrote:

: ======================================================
: Name: CVE-2014-9681
: Status: Candidate
: URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9681
: Final-Decision: 
: Interim-Decision: 
: Modified: 
: Proposed: 
: Assigned: 20150212
: Category: 
: 
: ** REJECT **
: 
: DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: none.  Reason: This
: candidate was withdrawn by its CNA.  Further investigation showed that
: it was not a security issue.  Notes: none.

On 2015-02-12, MITRE made this assignment:

http://seclists.org/oss-sec/2015/q1/533

   : Procmail is another program that recklessly whitelists TZ

     Use CVE-2014-9681 for the similar issue in procmail.

Now, jump to today, and the entry went from presumably RESERVED to 
REJECTED. Looking at NVD we see a better date history than MITRE offers:

https://nvd.nist.gov/vuln/detail/CVE-2014-9681

Original release date:
04/23/2017
Last revised:
04/23/2017

Since MITRE has long blocked archival sites via robots.txt, which has 
been 
brought up before on list, we can't show evidence that this was 
RESERVED 
yesterday and REJECTED today, but it is pretty clear.

So... this leaves two obvious questions:

1. This was a 2014 assignment, on oss-sec, on a public disclosure. Yet, 
the ID was RESERVED all this time. Why?

2. Tonight, the ID was suddenly REJECTED as "not a security issue", 
with 
no additional information from MITRE, no reply to the old thread, and 
no 
provenance for the "not an issue" decision. Why?

I fully understand #1 due to past MITRE issues. But today, the sudden 
change without information does not make sense, and does not seem 
appropriate.

I'd like to get more information on this, not just about CVE-2014-9681, 
but the general process that led to this decision.

Thank you,

Brian


Page Last Updated or Reviewed: April 25, 2017