[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CVENEW] New CVE CANs: 2017/04/23 19:00 ; count=1


This doesn't work in the big picture of CVE.

On Sun, 23 Apr 2017, cve@mitre.org wrote:

: ======================================================
: Name: CVE-2014-9681
: Status: Candidate
: URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9681
: Final-Decision: 
: Interim-Decision: 
: Modified: 
: Proposed: 
: Assigned: 20150212
: Category: 
: ** REJECT **
: DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: none.  Reason: This
: candidate was withdrawn by its CNA.  Further investigation showed that
: it was not a security issue.  Notes: none.

On 2015-02-12, MITRE made this assignment:


   : Procmail is another program that recklessly whitelists TZ

     Use CVE-2014-9681 for the similar issue in procmail.

Now, jump to today, and the entry went from presumably RESERVED to 
REJECTED. Looking at NVD we see a better date history than MITRE offers:


Original release date:
Last revised:

Since MITRE has long blocked archival sites via robots.txt, which has 
brought up before on list, we can't show evidence that this was 
yesterday and REJECTED today, but it is pretty clear.

So... this leaves two obvious questions:

1. This was a 2014 assignment, on oss-sec, on a public disclosure. Yet, 
the ID was RESERVED all this time. Why?

2. Tonight, the ID was suddenly REJECTED as "not a security issue", 
no additional information from MITRE, no reply to the old thread, and 
provenance for the "not an issue" decision. Why?

I fully understand #1 due to past MITRE issues. But today, the sudden 
change without information does not make sense, and does not seem 

I'd like to get more information on this, not just about CVE-2014-9681, 
but the general process that led to this decision.

Thank you,


Page Last Updated or Reviewed: April 25, 2017