lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200801040113.m041D4p5021000@faron.mitre.org>
Date: Thu, 3 Jan 2008 20:13:04 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: dom@...th.li
Cc: bugtraq@...urityfocus.com
Subject: Re: rPSA-2008-0001-1 dovecot


>> References:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6598
>
>This CVE does not exist - do you mean
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794

No, CVE-2007-6598 is correct.  Sometimes a CVE number is publicly used
before it has been updated on the public CVE web server, especially
with Linux distros (a couple Debian advisories today currently have
the same issue).  This "race condition" is an artifact of our CVE
reservation and web site processes.  This particular item will be on
the CVE site shortly.

>> http://wiki.rpath.com/Advisories:rPSA-2008-0001
>
>This is rather misleading - the bug was not in Dovecot, but in
>nss_ldap.  You may have put a workaround into Dovecot, but it would
>have been polite to mention this fact.

The announcement from Timo Sirainen, the upstream developer, does not
mention nss_ldap :

  http://dovecot.org/list/dovecot-news/2007-December/000057.html
  http://dovecot.org/list/dovecot-news/2007-December/000058.html

... so perhaps some clarification is in order.

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ