|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)
- To: jericho <jericho@attrition.org>
- Subject: Re: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)
- From: Kurt Seifried <kurt@seifried.org>
- Date: Tue, 11 Apr 2017 18:56:23 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=seifried.org;
- Cc: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Wed Apr 12 07:48:43 2017
- In-reply-to: <alpine.LNX.2.00.1704111943160.19881@forced.attrition.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <alpine.LNX.2.00.1704111943160.19881@forced.attrition.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
Yup, that was one of Red Hat's, Jenkins posted a request with multiple issues to the distros list, amaris@redhat.com assigned that CVE as well as others on 2017-01-30 (give or take a half day because timezones and whatnot). You can see it's aliased in our BZ to the related bug:
On Tue, Apr 11, 2017 at 6:44 PM, jericho <jericho@attrition.org> wrote:
FYI for the other board members tracking CNA mistakes.
---------- Forwarded message ----------
From: Brian Martin <brian@opensecurityfoundation.org >
To: Microsoft Security Response Center <secure@microsoft.com>
Cc: Common Vulnerabilities & Exposures <cve@mitre.org>,
jenkinsci-cert@googlegroups.com
Date: Tue, 11 Apr 2017 18:43:09 -0600
Subject: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure
Microsoft,
https://jenkins.io/security/advisory/2017-02-01/
Re-key admin monitor leaves behind unencrypted credentials in
upgraded installations.
SECURITY-376 / CVE-2017-2605
https://portal.msrc.microsoft.com/en-US/security-guidance/ad visory/2017-2605
2017-2605 | Defense-in-Depth Update for Microsoft Office
Published: April 11, 2017
One of the CVE IDs you assigned today has already been assigned earlier this year to an issue in Jenkins. Can you please confirm that 2017-2605 is part of your CNA pool?
Jenkins CERT, if you have any records of where your assignment came from (e.g. directly from MITRE), could you share them to help resolve this?
Thank you,
Brian Martin
Kurt Seifried
kurt@seifried.org
kurt@seifried.org
- References:
- CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)
- From: jericho <jericho@attrition.org>
- CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)
- Prev by Date: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)
- Next by Date: RE: Microsoft CNA assignment issues for April
- Previous by thread: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure (fwd)
- Next by thread: Re: CVE Collision in Microsoft advisory today w/ prior Jenkins disclosure
- Index(es):