Postgres Pro
Downloads
Home   >   mailing lists

Thread: Fwd: Incorrect CVE mappings in http://www.postgresql.org/support/security/ page

Fwd: Incorrect CVE mappings in http://www.postgresql.org/support/security/ page

From
Tom Lane
Date:
This was sent to pgsql-security, but there's no security issue as such,
so reposting to the list where people can fix it.
        regards, tom lane

------- Forwarded Message

Date:    Fri, 28 Mar 2014 15:41:48 +0000
From:    "Christey, Steven M." <coley@mitre.org>
To:      "security@postgresql.org" <security@postgresql.org>
cc:      Assign a CVE Identifier <cve-assign@mitre.org>
Subject: [pgsql-security] Incorrect CVE mappings in http://www.postgresql.org/support/security/ page

Hello,

On your http://www.postgresql.org/support/security/ page, you have the entries for CVE-2014-0063 and CVE-2014-0064
switched. That is, CVE-2014-0063 should be for the "Potential buffer overruns in datetime input/output," and
CVE-2014-0064should be for "Potential buffer overruns due to integer overflow in size calculations."
 

If you can fix this, it could reduce confusion by some people.  This might be the only page containing the erroneous
mapping. Other PostgreSQL pages, including the commits, associate CVE-2014-0063 with datetime and CVE-2014-0064 with
theinteger overflows.
 

Regards,
Steve Christey Coley
CVE assignment team, MITRE CVE Numbering Authority

------- End of Forwarded Message

Re: Fwd: Incorrect CVE mappings in http://www.postgresql.org/support/security/ page

From
Magnus Hagander
Date:
Fixed, will be out with the next site update.

//Magnus


On Fri, Mar 28, 2014 at 7:14 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
This was sent to pgsql-security, but there's no security issue as such,
so reposting to the list where people can fix it.

                        regards, tom lane

------- Forwarded Message

Date:    Fri, 28 Mar 2014 15:41:48 +0000
From:    "Christey, Steven M." <coley@mitre.org>
To:      "security@postgresql.org" <security@postgresql.org>
cc:      Assign a CVE Identifier <cve-assign@mitre.org>
Subject: [pgsql-security] Incorrect CVE mappings in
         http://www.postgresql.org/support/security/ page

Hello,

On your http://www.postgresql.org/support/security/ page, you have the entries for CVE-2014-0063 and CVE-2014-0064 switched.  That is, CVE-2014-0063 should be for the "Potential buffer overruns in datetime input/output," and CVE-2014-0064 should be for "Potential buffer overruns due to integer overflow in size calculations."

If you can fix this, it could reduce confusion by some people.  This might be the only page containing the erroneous mapping.  Other PostgreSQL pages, including the commits, associate CVE-2014-0063 with datetime and CVE-2014-0064 with the integer overflows.

Regards,
Steve Christey Coley
CVE assignment team, MITRE CVE Numbering Authority

------- End of Forwarded Message


--
Sent via pgsql-www mailing list (pgsql-www@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-www



--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/