PGP key for vulnerability reports

Mark Doliner mark at
Wed Jan 22 16:04:56 EST 2014

Good question, Rich. Let's ask my contact at Red Hat who helped issue
the CVE identifiers.

Tomas, is there discoverer attribution info associated with each CVE
ID? If so, could we double check who's listed for CVE-2013-6486 and
CVE-2013-6487. (Feel free to forward this email as you deem

I believe it should ideally be:
CVE-2013-6486 - Yves Younan of Sourcefire VRT
CVE-2013-6487 - Yves Younan, Ryan Pentney, and Pawel Janic of Sourcefire VRT


On Wed, Jan 22, 2014 at 12:39 PM, Rich Johnson (richjoh)
<richjoh at> wrote:
> Great, thanks for the update Mark. Did we manage to get credit merged so everyone shows up on the combined CVE? They're all a similar class of vulnerability but in different components so it seems a little unusual to merge them. I'm fine with that decision, I just want to make sure my guys get credited appropriately.
> Cheers,
> Rich Johnson
> -----Original Message-----
> From: Mark Doliner [mailto:mark at]
> Sent: Wednesday, January 22, 2014 3:18 AM
> To: Richard Johnson
> Cc: Rich Johnson (richjoh); Pidgin Security; Yves Younan; VRT-vulndev (vrt-vulndev at
> Subject: Re: PGP key for vulnerability reports
> Hi again. Just wanted to share some info. The embargo date is set:
> Tuesday 2013-01-28 at 07:00 PST, 10:00 EST, 15:00 UTC.
> We'll be releasing Pidgin 2.10.8 at that time. And we have two CVEs for the bugs you found.
> CVE-2013-6486
> - Pidgin uses clickable links to untrusted executables
> CVE-2013-6487
> Used for three similar but different issues:
> - Buffer overflow in Gadu-Gadu HTTP parsing
> - Buffer overflow in MXit emoticon parsing
> - Buffer overflow in SIMPLE header parsing

More information about the security mailing list