[gnutls-devel] Use CVE-2015-6251 for GNUTLS-SA-2015-3.
Nikos Mavrogiannopoulos
nmav at gnutls.org
Tue Sep 1 16:19:18 CEST 2015
On Tue, Sep 1, 2015 at 8:32 AM, Sona Sarmadi <sona.sarmadi at enea.com> wrote:
> Greetings,
> The Security Advisories page below says: "GNUTLS-SA-2015-2 No CVE assigned"
> http://www.gnutls.org/security.html#GNUTLS-SA-2015-1
> Mitre has assigned CVE-2015-6251 for GNUTLS-SA-2015-3:
> http://www.openwall.com/lists/oss-security/2015/08/17/6
> Just wanted to ping you to update the page, not sure though if this is the right mailing list.
Hello Sona,
This is the right mailing list. Not sure I understand the request.
GNUTLS-SA-2015-3 has CVE-2015-6251 assigned, and I think that this is
visible in the security page. GNUTLS-SA-2015-2 has indeed no CVE
assigned which is also reflected in that page.
> One question,
> Why "CVE-2015-3308 gnutls: use-after-free flaw in CRL distribution points parsing" is not listed in
> the Security Advisories page?
I tend to prioritise advisories for issues that affect the majority of
applications. E.g., if there is a bug which causes a crash in all
gnutls clients, it will get an advisory as soon, for issues that
affect only a small set of applications an advisory may be skipped.
For these issues we rely mostly on 3rd parties' advisories. That's not
ideal, but a compromise due to limited time at the moment.
> (This is of some unknown reason for me still " ** RESERVED **" by Mitre:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3308)
Is that related with the no CVE assigned issue above?
regards,
Nikos
More information about the Gnutls-devel
mailing list