[VIM] Oracle intentionally requesting duplicate CVEs?
jericho at attrition.org
Sat Jan 16 01:23:31 UTC 2010
Drop down to the BEA Product Suite matrix, first entry is for
CVE-2010-0079 covering the JRocket component with 'See Note 1':
Sun MicroSystems released a Security Alert in November 2009 to address
multiple vulnerabilities affecting the Sun Java Runtime Environment.
Oracle CVE-2010-0079 refers to the advisories that were applicable to
JRockit from the Sun Alert. The CVSS score of this vulnerability CVE#
reflects the highest among those fixed in JRockit. The score is calculated
by National Vulnerability Database (NVD), not Oracle. The complete list of
all advisories addressed in JRockit under CVE-2010-0079 is as follows:
CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872,
CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877.
This wording seems pretty clear that Oracle takes 2010-0079 to be a
'summary' CVE that covers ten previously assigned CVE candidates.
This seems to go against the publicly defined CVE assigning process.
More information about the VIM