PGP key for vulnerability reports
Mark Doliner
mark at kingant.net
Wed Jan 22 16:04:56 EST 2014
Good question, Rich. Let's ask my contact at Red Hat who helped issue
the CVE identifiers.
Tomas, is there discoverer attribution info associated with each CVE
ID? If so, could we double check who's listed for CVE-2013-6486 and
CVE-2013-6487. (Feel free to forward this email as you deem
appropriate.)
I believe it should ideally be:
CVE-2013-6486 - Yves Younan of Sourcefire VRT
CVE-2013-6487 - Yves Younan, Ryan Pentney, and Pawel Janic of Sourcefire VRT
Thanks,
Mark
On Wed, Jan 22, 2014 at 12:39 PM, Rich Johnson (richjoh)
<richjoh at cisco.com> wrote:
> Great, thanks for the update Mark. Did we manage to get credit merged so everyone shows up on the combined CVE? They're all a similar class of vulnerability but in different components so it seems a little unusual to merge them. I'm fine with that decision, I just want to make sure my guys get credited appropriately.
>
> Cheers,
> Rich Johnson
>
>
> -----Original Message-----
> From: Mark Doliner [mailto:mark at kingant.net]
> Sent: Wednesday, January 22, 2014 3:18 AM
> To: Richard Johnson
> Cc: Rich Johnson (richjoh); Pidgin Security; Yves Younan; VRT-vulndev (vrt-vulndev at sourcefire.com)
> Subject: Re: PGP key for vulnerability reports
>
> Hi again. Just wanted to share some info. The embargo date is set:
> Tuesday 2013-01-28 at 07:00 PST, 10:00 EST, 15:00 UTC.
>
> We'll be releasing Pidgin 2.10.8 at that time. And we have two CVEs for the bugs you found.
>
> CVE-2013-6486
> - Pidgin uses clickable links to untrusted executables
>
> CVE-2013-6487
> Used for three similar but different issues:
> - Buffer overflow in Gadu-Gadu HTTP parsing
> - Buffer overflow in MXit emoticon parsing
> - Buffer overflow in SIMPLE header parsing
More information about the security
mailing list