Hi there, There is something I've always wondered... How do CVE items in CVE's database have their status changed? In my time of working with vulnerabilities, I have only seen a few items graduate from Status="Candidate" to Status="..." (is it "Confirmed"?). Another question. How does one submit information or corrections to the cve.mitre.org folks? I've been recently mentoring someone on identifying and reporting vulnerabilities into Bugzilla (or "Vulnerability Tracking"). We were reviewing <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058>. In reviewing it, I noticed that its description, although true, is not the whole truth: "Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations." Someone reading this summary description (and nothing else) might walk away thinking, "Oh! I run Sendmail 8.11.6, so I am not vulnerable to this issue." Although true that this affects Sendmail 8.13.x before 8.13.x, ac- cording to Bugtraq ID 17192, <http://www.securityfocus.com/bid/17192>, it exists also in Sendmail versions 8.12.x, 8.11.x 8.10(.x), 8.9(.x), and 8.8.8. Which is why Red Hat issued updates for RHEL 2.1 and 3 as well as RHEL 4, and why Legacy issued updates for all distro's we maintain. So I would propose that the CVE people need to change the summary description to say something like: "Signal handler race condition in Sendmail versions 8.8.8 before 8.13.6 allows remote attackers to execute arbitrary code by trig- gering timeouts in a way that causes the setjmp and longjmp func- tion calls to be interrupted and modify unexpected memory locations." Also -- What makes the CVE maintainers notice a given advisory and maybe skip another? The Fedora Legacy advisory FLSA:186277 mentioned in CVE-2006-0058's references is referring to an obsolete advisory, as Legacy had to re-release sendmail with an updated advisory. * The original Legacy advisory for this issue is at <http://www.securityfocus.com/archive/1/archive/1/428656/100/0/threaded> (also at <http://www.securityfocus.com/archive/1/428656/100/0/threaded>) * The updated Legacy advisory is at <http://www.securityfocus.com/archive/1/430308/100/300/threaded> Do we need to renumber the advisory so it will get attention by the CVE folks? Or make a special effort to send mail to the CVE people letting them know that the reference in CVE-2006-0058 needs updating? If so, who do we write? Thanks in advance! Warm regards, David Eisenstein
