A few questions about cve.mitre.org

David Eisenstein deisenst at gtw.net
Mon Apr 24 03:07:25 UTC 2006 

Hi there,

There is something I've always wondered...   How do CVE items in 
CVE's database have their status changed?  In my time of working with
vulnerabilities, I have only seen a few items graduate from 
Status="Candidate" to Status="..." (is it "Confirmed"?).

Another question.  How does one submit information or corrections
to the cve.mitre.org folks?  

I've been recently mentoring someone on identifying and reporting
vulnerabilities into Bugzilla (or "Vulnerability Tracking").  We were
reviewing <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058>.
In reviewing it, I noticed that its description, although true, is not the 
whole truth:

   "Signal handler race condition in Sendmail 8.13.x before 8.13.6
   allows remote attackers to execute arbitrary code by triggering
   timeouts in a way that causes the setjmp and longjmp function
   calls to be interrupted and modify unexpected memory locations."

Someone reading this summary description (and nothing else) might walk
away thinking, "Oh! I run Sendmail 8.11.6, so I am not vulnerable to
this issue." 

Although true that this affects Sendmail 8.13.x before 8.13.x, ac-
cording to Bugtraq ID 17192, 
    <http://www.securityfocus.com/bid/17192>,
it exists also in Sendmail versions 8.12.x, 8.11.x 8.10(.x), 8.9(.x), and
8.8.8.  Which is why Red Hat issued updates for RHEL 2.1 and 3 as well
as RHEL 4, and why Legacy issued updates for all distro's we maintain.

So I would propose that the CVE people need to change the summary
description to say something like:

   "Signal handler race condition in Sendmail versions 8.8.8 before
   8.13.6 allows remote attackers to execute arbitrary code by trig-
   gering timeouts in a way that causes the setjmp and longjmp func-
   tion calls to be interrupted and modify unexpected memory locations."

Also -- What makes the CVE maintainers notice a given advisory and
maybe skip another?  The Fedora Legacy advisory FLSA:186277 mentioned
in CVE-2006-0058's references is referring to an obsolete advisory, as
Legacy had to re-release sendmail with an updated advisory.

  * The original Legacy advisory for this issue is at
    <http://www.securityfocus.com/archive/1/archive/1/428656/100/0/threaded>
    (also at <http://www.securityfocus.com/archive/1/428656/100/0/threaded>)

  * The updated Legacy advisory is at
    <http://www.securityfocus.com/archive/1/430308/100/300/threaded>

Do we need to renumber the advisory so it will get attention by the CVE
folks?  Or make a special effort to send mail to the CVE people letting
them know that the reference in CVE-2006-0058 needs updating?  If so, who
do we write?

Thanks in advance!

    Warm regards,
    David Eisenstein

More information about the Fedora-security-list mailing list