Christian Fischer <christian.fisc...@greenbone.net> writes: > On Fri, 03 Aug 2018 14:42:16 +0200 wf...@niif.hu (Ferenc Wágner) wrote: > >> Unfortunately the CVE hasn't arrived yet; I'll >> forward it to you once it does. My acknowledgement mail is of >> subject "CVE Request 548000 for CVE ID Request" from >> cve-requ...@mitre.org (just for the record). > > have you received a CVE for this issue yet? Tried to look around in > various sources but wasn't able to identify a published CVE for this > issue yet.
Hi, I haven't received a CVE for this issue, unfortunately. My original request was deflected by Mitre saying that the Apache Software Foundation should issue this CVE. However, the Apache webpage states that they issue IDs for undisclosed vulnerabilities only. My three followup mails asking for clarification remained unanswered by Mitre. To add more bad news, according to http://santuario.apache.org/ the just released 2.0.2 fixes a very similar bug, which might mean another DoS; I couldn't investigate yet. But if it does, we'll need yet another CVE for that. I'm sending out some queries. -- Regards, Feri
