Re: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure

To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure
From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Date: Thu, 11 May 2017 16:28:32 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
Delivery-date: Thu May 11 12:41:35 2017
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
Thread-index: AQHSynOh6yD8PeV9+UaUVbeG9hbNrA==
Thread-topic: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure
User-agent: Microsoft-MacOutlook/f.21.0.170409

As a follow-up, Daniel Beck from the Jenkins project notified us today that they updated the CVE information for their part of the problematic CVE ID assignments/announcement/typos.

https://github.com/jenkins-infra/jenkins.io/pull/895/files

https://jenkins.io/security/advisory/2017-02-01/#re-key-admin-monitor-leaves-behind-unencrypted-credentials-in-upgraded-installations

Thanks.

-Dan

From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of Kurt Seifried <kurt@seifried.org>
Date: Tuesday, April 11, 2017 at 20:56
To: jericho <jericho@attrition.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)

Yup, that was one of Red Hat's, Jenkins posted a request with multiple issues to the distros list, amaris@redhat.com assigned that CVE as well as others on 2017-01-30 (give or take a half day because timezones and whatnot). You can see it's aliased in our BZ to the related bug:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2605

On Tue, Apr 11, 2017 at 6:44 PM, jericho <jericho@attrition.org> wrote:

FYI for the other board members tracking CNA mistakes.

---------- Forwarded message ----------
From: Brian Martin <brian@opensecurityfoundation.org>
To: Microsoft Security Response Center <secure@microsoft.com>
Cc: Common Vulnerabilities & Exposures <cve@mitre.org>,
jenkinsci-cert@googlegroups.com
Date: Tue, 11 Apr 2017 18:43:09 -0600
Subject: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure

Microsoft,

https://jenkins.io/security/advisory/2017-02-01/

Re-key admin monitor leaves behind unencrypted credentials in
upgraded installations.

SECURITY-376 / CVE-2017-2605

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/2017-2605

2017-2605 | Defense-in-Depth Update for Microsoft Office
Published: April 11, 2017

One of the CVE IDs you assigned today has already been assigned earlier this year to an issue in Jenkins. Can you please confirm that 2017-2605 is part of your CNA pool?

Jenkins CERT, if you have any records of where your assignment came from (e.g. directly from MITRE), could you share them to help resolve this?

Thank you,

Brian Martin

Kurt Seifried
kurt@seifried.org

Prev by Date: Re: Current standards/criteria for 'Undefined Behavior'
Next by Date: RE: On the topic of MITRE/Board transparency
Previous by thread: RE: On the topic of MITRE/Board transparency
Next by thread: Re: Nomination of Beverly Finch to the CVE Board
Index(es):
- Date
- Thread