On Fri, October 15, 2021 14:37, Paul Lesniewski wrote:
>
> This was on my radar, but given your situation, I went ahead and contacted
> both NIST and MITRE just now. If you have the FreeBSD maintainer's
> contact info, I can work with that person too, but I don't understand what
> you need from that person? Maybe you want them to invalidate/reject the
> ticket on their bug tracker?
>
>From what I can gather from the NIST website each issuer of a version of the
software, in other words the packaged version (apt, yum, rpm, pkg, etc.) can
individually notify the NIST, via email, that their version/package does not
have the vulnerability. This is additional to the development team.
I speculate that this practice allows distribution specific patches to be
recorded against the CVE that are created before the upstream developers
respond.
I looked up the details of the person who wrote the message to openwall and
their github account. They have/had a fork of SM on github that they claimed
to patch to deal with security issues. In the message used to originate this
CVE the claimed to have contacted you directly respecting this matter before
they posted on openwall.
Thanks for you attention to this. I appreciate it very much.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
