CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)

jericho
FYI for the other board members tracking CNA mistakes.

---------- Forwarded message ----------
From: Brian Martin <[hidden email]>
To: Microsoft Security Response Center <[hidden email]>
Cc: Common Vulnerabilities & Exposures <[hidden email]>,
     [hidden email]
Date: Tue, 11 Apr 2017 18:43:09 -0600
Subject: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure


Microsoft,

https://jenkins.io/security/advisory/2017-02-01/

    Re-key admin monitor leaves behind unencrypted credentials in
    upgraded installations.

    SECURITY-376 / CVE-2017-2605

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/2017-2605

    2017-2605 | Defense-in-Depth Update for Microsoft Office
    Published: April 11, 2017

One of the CVE IDs you assigned today has already been assigned earlier this
year to an issue in Jenkins. Can you please confirm that 2017-2605 is part of
your CNA pool?

Jenkins CERT, if you have any records of where your assignment came from (e.g.
directly from MITRE), could you share them to help resolve this?

Thank you,

Brian Martin
Reply | Threaded
Open this post in threaded view
|

Re: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)

Kurt Seifried-2
Yup, that was one of Red Hat's, Jenkins posted a request with multiple issues to the distros list, [hidden email] assigned that CVE as well as others on 2017-01-30 (give or take a half day because timezones and whatnot). You can see it's aliased in our BZ to the related bug:


On Tue, Apr 11, 2017 at 6:44 PM, jericho <[hidden email]> wrote:
FYI for the other board members tracking CNA mistakes.

---------- Forwarded message ----------
From: Brian Martin <[hidden email]>
To: Microsoft Security Response Center <[hidden email]>
Cc: Common Vulnerabilities & Exposures <[hidden email]>,
    [hidden email]
Date: Tue, 11 Apr 2017 18:43:09 -0600
Subject: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure


Microsoft,

https://jenkins.io/security/advisory/2017-02-01/

   Re-key admin monitor leaves behind unencrypted credentials in
   upgraded installations.

   SECURITY-376 / CVE-2017-2605

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/2017-2605

   2017-2605 | Defense-in-Depth Update for Microsoft Office
   Published: April 11, 2017

One of the CVE IDs you assigned today has already been assigned earlier this year to an issue in Jenkins. Can you please confirm that 2017-2605 is part of your CNA pool?

Jenkins CERT, if you have any records of where your assignment came from (e.g. directly from MITRE), could you share them to help resolve this?

Thank you,

Brian Martin



--
Kurt Seifried
[hidden email]