Hi there,
There is something I've always wondered... How do CVE items in CVE's database have their status changed? In my time of working with vulnerabilities, I have only seen a few items graduate from Status="Candidate" to Status="..." (is it "Confirmed"?).
Another question. How does one submit information or corrections to the cve.mitre.org folks?
I've been recently mentoring someone on identifying and reporting vulnerabilities into Bugzilla (or "Vulnerability Tracking"). We were reviewing http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058. In reviewing it, I noticed that its description, although true, is not the whole truth:
"Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations."
Someone reading this summary description (and nothing else) might walk away thinking, "Oh! I run Sendmail 8.11.6, so I am not vulnerable to this issue."
Although true that this affects Sendmail 8.13.x before 8.13.x, ac- cording to Bugtraq ID 17192, http://www.securityfocus.com/bid/17192, it exists also in Sendmail versions 8.12.x, 8.11.x 8.10(.x), 8.9(.x), and 8.8.8. Which is why Red Hat issued updates for RHEL 2.1 and 3 as well as RHEL 4, and why Legacy issued updates for all distro's we maintain.
So I would propose that the CVE people need to change the summary description to say something like:
"Signal handler race condition in Sendmail versions 8.8.8 before 8.13.6 allows remote attackers to execute arbitrary code by trig- gering timeouts in a way that causes the setjmp and longjmp func- tion calls to be interrupted and modify unexpected memory locations."
Also -- What makes the CVE maintainers notice a given advisory and maybe skip another? The Fedora Legacy advisory FLSA:186277 mentioned in CVE-2006-0058's references is referring to an obsolete advisory, as Legacy had to re-release sendmail with an updated advisory.
* The original Legacy advisory for this issue is at http://www.securityfocus.com/archive/1/archive/1/428656/100/0/threaded (also at http://www.securityfocus.com/archive/1/428656/100/0/threaded)
* The updated Legacy advisory is at http://www.securityfocus.com/archive/1/430308/100/300/threaded
Do we need to renumber the advisory so it will get attention by the CVE folks? Or make a special effort to send mail to the CVE people letting them know that the reference in CVE-2006-0058 needs updating? If so, who do we write?
Thanks in advance!
Warm regards, David Eisenstein
There is something I've always wondered... How do CVE items in CVE's database have their status changed? In my time of working with vulnerabilities, I have only seen a few items graduate from Status="Candidate" to Status="..." (is it "Confirmed"?).
This along with much other information is covered here: http://cve.mitre.org/about/
Another question. How does one submit information or corrections to the cve.mitre.org folks?
You can mail cve@mitre.org with your corrections. Please keep in mind that they are swamped with the volume of security issues, so your correction will take some time.
Also -- What makes the CVE maintainers notice a given advisory and maybe skip another? The Fedora Legacy advisory FLSA:186277 mentioned in CVE-2006-0058's references is referring to an obsolete advisory, as Legacy had to re-release sendmail with an updated advisory.
The original Legacy advisory for this issue is at http://www.securityfocus.com/archive/1/archive/1/428656/100/0/threaded (also at http://www.securityfocus.com/archive/1/428656/100/0/threaded)
The updated Legacy advisory is at http://www.securityfocus.com/archive/1/430308/100/300/threaded
Do we need to renumber the advisory so it will get attention by the CVE folks? Or make a special effort to send mail to the CVE people letting them know that the reference in CVE-2006-0058 needs updating? If so, who do we write?
You can mail them telling them where the new advisory is (once again though, this will take time to be updated as this would be a low priority task). This is one of the problems with using a mailing list to publish your advisories. Once it's published, it's read only.
security@lists.fedoraproject.org
-
David Eisenstein -
Josh Bressers