[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080104091620.GO4317@urchin.earth.li>
Date: Fri, 4 Jan 2008 09:16:20 +0000
From: Dominic Hargreaves <dom@...th.li>
To: "Steven M. Christey" <coley@...re.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: rPSA-2008-0001-1 dovecot
On Thu, Jan 03, 2008 at 08:13:04PM -0500, Steven M. Christey wrote:
>
> >> References:
> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6598
> >
> >This CVE does not exist - do you mean
> >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794
>
> No, CVE-2007-6598 is correct. Sometimes a CVE number is publicly used
> before it has been updated on the public CVE web server, especially
> with Linux distros (a couple Debian advisories today currently have
> the same issue). This "race condition" is an artifact of our CVE
> reservation and web site processes. This particular item will be on
> the CVE site shortly.
>
> >> http://wiki.rpath.com/Advisories:rPSA-2008-0001
> >
> >This is rather misleading - the bug was not in Dovecot, but in
> >nss_ldap. You may have put a workaround into Dovecot, but it would
> >have been polite to mention this fact.
>
> The announcement from Timo Sirainen, the upstream developer, does not
> mention nss_ldap :
>
> http://dovecot.org/list/dovecot-news/2007-December/000057.html
> http://dovecot.org/list/dovecot-news/2007-December/000058.html
>
> ... so perhaps some clarification is in order.
My apologies then - it looks like I made a bad assumption!
Cheers,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Powered by blists - more mailing lists