[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2008-4113 update: kernel: sctp: fix random
From:       Eugene Teo <eteo () redhat ! com>
Date:       2008-09-29 14:28:37
Message-ID: 48E0E615.7050700 () redhat ! com
[Download RAW message or body]

Hi Steve,

Eugene Teo wrote:
> Steven M. Christey wrote:
>> On Thu, 25 Sep 2008, Eugene Teo wrote:
>>> The first three references to CVE-2008-4113[1] are incorrect. Please
>>> update the CVE with the following references:
>>>
>>> http://marc.info/?l=linux-sctp&m=121986743009093&w=2
>>> http://marc.info/?l=linux-sctp&m=121986743209110&w=2
>>>
>>> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113
>> This was in reference to the TKADV2008-007 advisory.
>>
>> I guess the question becomes - TKADV2008-007 talks about separate issues,
>> one involving crashes by calling the API functions when SCTP-AUTH is
>> disabled (CVE-2008-3792), and another involving SCTP_HMAC_IDENT and a
>> length value for sctp_getsockopt_hmac_ident.
> 
> I see what the confusion is now.
> 
> TKADV2008-007[1] mentioned two separate, but related issues. The second
> issue that the advisory mentioned is an example of a function that may
> have two possible consequences, and it all depends on whether SCTP
> authentication is enabled or not.
> 
> The patch[2] that addressed these issues mentioned only one of them in
> the changelog description, even though it appears to be fixing possibly
> more than two issues.
> 
> Should this be assigned with just one CVE name instead of two?

I re-read it over again, and I agree that assigning two CVE names for
this makes sense. Sorry for the confusion.

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]