|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [CVENEW] New CVE CANs: 2017/04/23 19:00 ; count=1
- To: CVE <cve@mitre.org>
- Subject: Re: [CVENEW] New CVE CANs: 2017/04/23 19:00 ; count=1
- From: jericho <jericho@attrition.org>
- Date: Mon, 24 Apr 2017 00:27:13 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Cc: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Mon Apr 24 07:48:48 2017
- Importance: high
- In-reply-to: <58fd32ea.mE7nmETkMixM4lZw%cve@mitre.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <58fd32ea.mE7nmETkMixM4lZw%cve@mitre.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
MITRE, This doesn't work in the big picture of CVE. On Sun, 23 Apr 2017, cve@mitre.org wrote: : ====================================================== : Name: CVE-2014-9681 : Status: Candidate : URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9681 : Final-Decision: : Interim-Decision: : Modified: : Proposed: : Assigned: 20150212 : Category: : : ** REJECT ** : : DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This : candidate was withdrawn by its CNA. Further investigation showed that : it was not a security issue. Notes: none. On 2015-02-12, MITRE made this assignment: http://seclists.org/oss-sec/2015/q1/533 : Procmail is another program that recklessly whitelists TZ Use CVE-2014-9681 for the similar issue in procmail. Now, jump to today, and the entry went from presumably RESERVED to REJECTED. Looking at NVD we see a better date history than MITRE offers: https://nvd.nist.gov/vuln/detail/CVE-2014-9681 Original release date: 04/23/2017 Last revised: 04/23/2017 Since MITRE has long blocked archival sites via robots.txt, which has been brought up before on list, we can't show evidence that this was RESERVED yesterday and REJECTED today, but it is pretty clear. So... this leaves two obvious questions: 1. This was a 2014 assignment, on oss-sec, on a public disclosure. Yet, the ID was RESERVED all this time. Why? 2. Tonight, the ID was suddenly REJECTED as "not a security issue", with no additional information from MITRE, no reply to the old thread, and no provenance for the "not an issue" decision. Why? I fully understand #1 due to past MITRE issues. But today, the sudden change without information does not make sense, and does not seem appropriate. I'd like to get more information on this, not just about CVE-2014-9681, but the general process that led to this decision. Thank you, Brian
- Follow-Ups:
- Re: [CVENEW] New CVE CANs: 2017/04/23 19:00 ; count=1
- From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- Re: [CVENEW] New CVE CANs: 2017/04/23 19:00 ; count=1
- Prev by Date: Symantec / SecurityFocus CVE reference problems
- Next by Date: RE: Notes from April 17 meeting
- Previous by thread: RE: [EXT] Re: Symantec / SecurityFocus CVE reference problems
- Next by thread: Re: [CVENEW] New CVE CANs: 2017/04/23 19:00 ; count=1
- Index(es):