Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <FC72FC641B949240B947AC6F1F83FBAF0697B06E@IMCMBX01.MITRE.ORG>
Date: Wed, 13 Feb 2013 17:07:06 +0000
From: "Christey, Steven M." <coley@...re.org>
To: Kurt Seifried <kseifried@...hat.com>, "oss-security@...ts.openwall.com"
	<oss-security@...ts.openwall.com>
CC: David Jorm <djorm@...hat.com>
Subject: RE: CVE Request --  jakarta-commons-httpclient:
 Wildcard matching in SSL hostname verifier incorrect (a different issue than
 CVE-2012-5783)

We'll REJECT it.

Researchers in general should remain aware that bugs in security features do not necessarily constitute vulnerabilities.  And, as already implied in this thread - if functionality is broken but there is no attacker role, or if the affected software is effectively placed into a more restricted "security policy" than intended, then this behavior would be treated as a bug (or feature), not a vulnerability, so it would not receive a CVE.

- Steve



-----Original Message-----
From: Kurt Seifried [mailto:kseifried@...hat.com] 
Sent: Tuesday, February 12, 2013 11:34 PM
To: oss-security@...ts.openwall.com
Cc: David Jorm; Christey, Steven M.
Subject: Re: [oss-security] CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/12/2013 06:20 PM, David Jorm wrote:
> On 02/13/2013 10:29 AM, Kurt Seifried wrote:
>>> Please use CVE-2012-6127 for this issue.
>> Ok I should have looked into this deeper, it looks like it may
>> not be a security issue but I'm not 100% certain, so for now I
>> will leave this, and if someone can show there is no security
>> impact I'll reject it. Sorry for the mixup.
> 
> This bug will cause valid certificates to be rejected, but not for 
> invalid certificates to be accepted. Please reject the CVE.
> 
> Thanks David

Please reject CVE-2012-6127, it is not a security issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRGxe6AAoJEBYNRVNeJnmTJ8EQAKT6LzCJ1Q0Moii19B9QYao+
nY6rVqGX1RDfwbyYSN0SpxxHyUQ1915bL20MX/MD4elt2l92F5cShFox9yt7k5Ml
ucdDq0vS3oEjvahaWrm6fNewW29HgUf+kLrtcRBGgDFZsWkfcIMJ/wbFd/ZBRp4B
Ac9jMoq+bBbxV/N5ArjHH3oF6Vp1NU6fwnJTn1Ay7pOA0b905LXQd3Th3yJ86HTb
zcmGQabM6URfyR/4IwdmgRX8NeDGqR2dCIw6TUeTYxvk6BkVygCJT32FyEIjy9RX
bCxeaWohtPzwiJ2zy49zLE3hvlbbBgLG1WP52B2Rm1QJM8ZWS/6yUDds784f+nlL
RjunG1lzpLjvvfrCD8E78sDTxlRAkFLjSoQiZUNcbs4edEz2TBxNn3fk1KOWJAfA
pThbRLZRXDvPvgr1t5I8HoB+SrJWeVLiNKS5V0uO3CjS7dOsZij8Z5GWUrxTKsli
2HVBdOpc1mq4lH932cM/pL70+ZaO/UXzjR31NHa2UieWRiAaMGAuTPFGn4sbvcY1
v7h3IM4XG/wiYnB3wcPANNZWBlHyL3qGCE0yYMbsI1VA66e0j2hZPdkfv9QgQKjz
QatdRdomwZ9UFD1SLYsbi5Lbh7i4vnXf2ts/jJ7J6XH8Fb0Ys7l7TzgdOH4o8SlP
88zHNUGhMsGpe1+x/Tql
=83Jm
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.