[VIM] RubyGems dupe CVE assignment? (for BID / CVE)

Dinesh Theerthagiri Dinesh_Theerthagiri at symantec.com
Wed Oct 2 00:41:58 CDT 2013


Hi,

CVE-2013-4287 and CVE-2013-4363 are both different issues. 

>From the link: http://seclists.org/oss-sec/2013/q3/628

"Ok please please use CVE-2013-4363 for this issue (incomplete fix for CVE-2013-4287)."

And Credit given in the osvdb link is wrong. If you go through the link :
 http://seclists.org/oss-sec/2013/q3/576

"This vulnerability was discovered by Damir Sharipov <dammer2k () gmail com>".

At this moment we are sure why this problem occurs. We are trying to fix this asap. Once it's done I'll let you know.

But originally we have reference links in the vulnerability report and updated accordingly.  


Thanks,
T.Dinesh

-----Original Message-----
From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of security curmudgeon
Sent: Tuesday, September 24, 2013 2:49 AM
To: vim at attrition.org
Subject: [VIM] RubyGems dupe CVE assignment? (for BID / CVE)
Importance: High


http://www.securityfocus.com/bid/62442
CVE-2013-4363

http://osvdb.org/97163
CVE-2013-4287

These have different creditees. The BID entry is too vague to figure out if this is a dupe assignment or not.

http://www.securityfocus.com/bid/62442/solution

Solution:
Updates are available. Please see the references or vendor advisory for more information.

http://www.securityfocus.com/bid/62442/references

References:
(blank)


It would be really nice if BID could treat the public database differently than their private one to avoid this, as it is very common and entirely frustrating.


More information about the VIM mailing list