Mozilla improper CVE assignment, does not conform to CNA rules

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Mozilla improper CVE assignment, does not conform to CNA rules

jericho
Board,

We see this from time-to-time across many CNAs. I don't know if this has
happened with Mozilla in the past, and I don't have time to dig into my
notes. But with one of today's Mozilla advisories, they assigned a single
new CVE ID to represent three other distinct issues in third-party code,
that already had CVE IDs. They even go so far as to quote the prior IDs.

If this is not the case, then it certainly is confusing to Mozilla
consumers and CVE stakeholders.

Brian

--

https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/

CVE-2017-5437: Vulnerabilities in Libevent library

Description

Three vulnerabilities were reported in the Libevent library that allow for
out-of-bounds reads and denial of service (DoS) attacks: CVE-2016-10195,
CVE-2016-10196, and CVE-2016-10197. These were fixed in the Libevent
library and these changes were ported to Mozilla code.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mozilla improper CVE assignment, does not conform to CNA rules

Adinolfi, Daniel R

Greetings,

 

Thanks for pointing this out. We will investigate this with Mozilla and report back.

 

-Dan

 

From: <[hidden email]> on behalf of jericho <[hidden email]>
Date: Wednesday, April 19, 2017 at 20:28
To: cve-editorial-board-list <[hidden email]>
Subject: Mozilla improper CVE assignment, does not conform to CNA rules

 

Board,

 

We see this from time-to-time across many CNAs. I don't know if this has

happened with Mozilla in the past, and I don't have time to dig into my

notes. But with one of today's Mozilla advisories, they assigned a single

new CVE ID to represent three other distinct issues in third-party code,

that already had CVE IDs. They even go so far as to quote the prior IDs.

 

If this is not the case, then it certainly is confusing to Mozilla

consumers and CVE stakeholders.

 

Brian

 

--

 

 

CVE-2017-5437: Vulnerabilities in Libevent library

 

Description

 

Three vulnerabilities were reported in the Libevent library that allow for

out-of-bounds reads and denial of service (DoS) attacks: CVE-2016-10195,

CVE-2016-10196, and CVE-2016-10197. These were fixed in the Libevent

library and these changes were ported to Mozilla code.

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mozilla improper CVE assignment, does not conform to CNA rules

Adinolfi, Daniel R
In reply to this post by jericho

Greetings,

 

We talked through the details with our contacts at Mozilla, and they will be rejecting CVE-2017-5437.

 

Please let us know if you have any other questions.

 

Thanks.

 

-Dan

 

From: <[hidden email]> on behalf of jericho <[hidden email]>
Date: Wednesday, April 19, 2017 at 20:28
To: cve-editorial-board-list <[hidden email]>
Subject: Mozilla improper CVE assignment, does not conform to CNA rules

 

Board,

 

We see this from time-to-time across many CNAs. I don't know if this has

happened with Mozilla in the past, and I don't have time to dig into my

notes. But with one of today's Mozilla advisories, they assigned a single

new CVE ID to represent three other distinct issues in third-party code,

that already had CVE IDs. They even go so far as to quote the prior IDs.

 

If this is not the case, then it certainly is confusing to Mozilla

consumers and CVE stakeholders.

 

Brian

 

--

 

 

CVE-2017-5437: Vulnerabilities in Libevent library

 

Description

 

Three vulnerabilities were reported in the Libevent library that allow for

out-of-bounds reads and denial of service (DoS) attacks: CVE-2016-10195,

CVE-2016-10196, and CVE-2016-10197. These were fixed in the Libevent

library and these changes were ported to Mozilla code.

 

Loading...