PGP key for vulnerability reports

Tomas Hoger thoger at
Thu Jan 23 16:54:24 EST 2014

On Thu, 23 Jan 2014 10:15:56 +0100 Tomas Hoger wrote:

> > I believe it should ideally be:
> > CVE-2013-6486 - Yves Younan of Sourcefire VRT
> > CVE-2013-6487 - Yves Younan, Ryan Pentney, and Pawel Janic of
> > Sourcefire VRT
> Ah, I see there is more detail for these now than were available
> before.


> Assignment tried to follow documented CVE content decisions:
> These say that issues of the same flaw type and affecting same version
> are typically expected to be merged under the same id.  Different
> reporter is, while not documented above, also considered a reason to
> split.  The info we previously had for the 3 issues under
> CVE-2013-6487 was limited to "discovered by Sourcefire VRT", hence
> split was not done on different reporter.

We reviewed this taking into an account the new info provided and
decided to split the assignment as follows:

Buffer overflow in Gadu-Gadu HTTP parsing.

Buffer overflow in MXit emoticon parsing.

Buffer overflow in SIMPLE header parsing.

Sorry for the mess this caused, hope it's still enough time to release
to avoid having it too messy once it's public.

Tomas Hoger / Red Hat Security Response Team

More information about the security mailing list