Re: rPSA-2008-0001-1 dovecot

From: Dominic Hargreaves <dom@earth.li>
To: Steven M. Christey <coley@mitre.org>
Cc: bugtraq@securityfocus.com
Subject: Re: rPSA-2008-0001-1 dovecot
Date:


On Thu, Jan 03, 2008 at 08:13:04PM -0500, Steven M. Christey wrote:
> 
> >> References:
> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6598
> >
> >This CVE does not exist - do you mean
> >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794
> 
> No, CVE-2007-6598 is correct.  Sometimes a CVE number is publicly used
> before it has been updated on the public CVE web server, especially
> with Linux distros (a couple Debian advisories today currently have
> the same issue).  This "race condition" is an artifact of our CVE
> reservation and web site processes.  This particular item will be on
> the CVE site shortly.
> 
> >> http://wiki.rpath.com/Advisories:rPSA-2008-0001
> >
> >This is rather misleading - the bug was not in Dovecot, but in
> >nss_ldap.  You may have put a workaround into Dovecot, but it would
> >have been polite to mention this fact.
> 
> The announcement from Timo Sirainen, the upstream developer, does not
> mention nss_ldap :
> 
>   http://dovecot.org/list/dovecot-news/2007-December/000057.html
>   http://dovecot.org/list/dovecot-news/2007-December/000058.html
> 
> ... so perhaps some clarification is in order.

My apologies then - it looks like I made a bad assumption!

Cheers,

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.