PGP key for vulnerability reports
Tomas Hoger
thoger at redhat.com
Thu Jan 23 16:54:24 EST 2014
On Thu, 23 Jan 2014 10:15:56 +0100 Tomas Hoger wrote:
> > I believe it should ideally be:
> > CVE-2013-6486 - Yves Younan of Sourcefire VRT
> > CVE-2013-6487 - Yves Younan, Ryan Pentney, and Pawel Janic of
> > Sourcefire VRT
>
> Ah, I see there is more detail for these now than were available
> before.
...
> Assignment tried to follow documented CVE content decisions:
>
> http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html
>
> These say that issues of the same flaw type and affecting same version
> are typically expected to be merged under the same id. Different
> reporter is, while not documented above, also considered a reason to
> split. The info we previously had for the 3 issues under
> CVE-2013-6487 was limited to "discovered by Sourcefire VRT", hence
> split was not done on different reporter.
We reviewed this taking into an account the new info provided and
decided to split the assignment as follows:
CVE-2013-6487
Buffer overflow in Gadu-Gadu HTTP parsing.
CVE-2013-6489
Buffer overflow in MXit emoticon parsing.
CVE-2013-6490
Buffer overflow in SIMPLE header parsing.
Sorry for the mess this caused, hope it's still enough time to release
to avoid having it too messy once it's public.
--
Tomas Hoger / Red Hat Security Response Team
More information about the security
mailing list