'[oss-security] Re: More CVEs? (was Re: [oCERT-2011-003] multiple implementations denial-of-service v'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: More CVEs? (was Re: [oCERT-2011-003] multiple implementations denial-of-service v
From:       cve-assign () mitre ! org
Date:       2011-12-30 3:06:19
Message-ID: 201112300306.pBU36JnQ005083 () linus ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's the initial CVE assignment status for the 13 products listed
in oCERT #2011-003, plus ASP.NET. The CVE descriptions are available
at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-#### URLs,
and will be on the MITRE CVE web site soon.

>Java

There's intentionally no CVE assigned by the MITRE CNA. The MITRE CNA
hasn't been proactively assigning CVEs to hash-table robustness issues
in implementations of general-purpose programming languages. As usual,
a CVE can be assigned for a software mistake that has a security
impact. Here, each maintainer of a language implementation can decide
whether there was a software mistake. The decision depends on what
robustness properties were intended. This happens to be a case in
which it's difficult for outside parties to discern what was intended.

>JRuby

CVE-2011-4838

>PHP

CVE-2011-4885

>Python

Again, there's intentionally no CVE assigned by the MITRE CNA because
this is an implementation of a general-purpose programming language,
and no implementation maintainer has requested a CVE.

>Rubinius

Again, there's intentionally no CVE assigned by the MITRE CNA because
this is an implementation of a general-purpose programming language,
and no implementation maintainer has requested a CVE.

>Ruby (only the Ruby MRI implementation)

CVE-2011-4815

>Apache Geronimo

CVE-2011-5034

>Apache Tomcat

CVE-2011-4084

At least at the moment, this CVE is intentionally not mapping to the
oCERT #2011-003 and n.runs-SA-2011.004 references. We might have a
pending REJECT on a closely related CVE that still has a reserved
status. This related CVE is the CVE referenced as "2011-12-16:
assigned CVE for Apache Tomcat" in the oCERT #2011-003 Timeline.

>Oracle Glassfish

CVE-2011-5035

>Jetty

CVE-2011-4461

>Plone

CVE-2011-4462

>Rack

CVE-2011-5036

>V8 JavaScript Engine

CVE-2011-5037

>ASP.NET

CVE-2011-3414

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S S145
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/obtain_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)

iQEcBAEBAgAGBQJO/SlMAAoJEGvefgSNfHMdhn4H/2+MS345nwm/kHGPJDLZA5LP
WtmD56n2+na4SUZFh2kOT7vu/9MR6U6IXgp8gsMPPpFLfkDR4pp2s07NvtBzUKBy
C7DL4BN/GSEd70Gx1sku1oiFqREcNUt4eOmKZqRcURnz4M1yj25auKPWcoUecWPP
YJarbr1Ud795rJYFYBBxbt1sGqs+qKt54IriyQ1TDspZCcBPV4Jy0XrMAuRxme7y
AbHeVFM1aU+V4fZMOZz6B+2rQfhX3nWChuRj4F6ioABXkgjBRefL1vLAEbsb9IUS
PBi4VCOr7Exy0qkhEfACVqEtEKBJIAihzgG0CNa6mA9+CUq89vfppeH5/LJu8Uo=
=K98h
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic