[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2008-4113 update: kernel: sctp: fix random
From: Eugene Teo <eteo () redhat ! com>
Date: 2008-09-29 14:28:37
Message-ID: 48E0E615.7050700 () redhat ! com
[Download RAW message or body]
Hi Steve,
Eugene Teo wrote:
> Steven M. Christey wrote:
>> On Thu, 25 Sep 2008, Eugene Teo wrote:
>>> The first three references to CVE-2008-4113[1] are incorrect. Please
>>> update the CVE with the following references:
>>>
>>> http://marc.info/?l=linux-sctp&m=121986743009093&w=2
>>> http://marc.info/?l=linux-sctp&m=121986743209110&w=2
>>>
>>> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113
>> This was in reference to the TKADV2008-007 advisory.
>>
>> I guess the question becomes - TKADV2008-007 talks about separate issues,
>> one involving crashes by calling the API functions when SCTP-AUTH is
>> disabled (CVE-2008-3792), and another involving SCTP_HMAC_IDENT and a
>> length value for sctp_getsockopt_hmac_ident.
>
> I see what the confusion is now.
>
> TKADV2008-007[1] mentioned two separate, but related issues. The second
> issue that the advisory mentioned is an example of a function that may
> have two possible consequences, and it all depends on whether SCTP
> authentication is enabled or not.
>
> The patch[2] that addressed these issues mentioned only one of them in
> the changelog description, even though it appears to be fixing possibly
> more than two issues.
>
> Should this be assigned with just one CVE name instead of two?
I re-read it over again, and I agree that assigning two CVE names for
this makes sense. Sorry for the confusion.
Thanks, Eugene
--
Eugene Teo / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic