On 17/04/18 06:40, Salvatore Bonaccorso wrote:
> Hi Sam,
> 
> On Mon, Apr 09, 2018 at 10:19:34AM +1000, Sam Fowler wrote:
>> On Wed, 14 Mar 2018 16:22:19 +0100 Ole Streicher <oleb...@debian.org> wrote:
>>> FYI
>>>
>>>
>>> -------- Forwarded Message --------
>>> Subject: [Debian-astro-maintainers] ftools update
>>> Date: Wed, 14 Mar 2018 10:42:25 -0400
>>> From: Michael Arida <michael.ar...@nasa.gov>
>>> To: debian-astro-maintain...@lists.alioth.debian.org
>>>
>>>
>>> Dear Debian Astro Maintainers,
>>>
>>> As you may have noticed CFITSIO was updated Friday (March 2) for a
>>> major bug fix.  Since you have a software bundle that uses what we
>>> assume is CFITSIO somewhere under the hood, we wanted to let you know
>>> that you should update that code.  We are also expecting another
>>> update in April.
>>>
>>> If you have any questions or concerns, feel free to contact me.
>>>
>>> Regards,
>>>  Mike Arida
>>> ____________________________________________________________
>>> Michael Arida (ADNET)                     ASD/HEASARC
>>> 301.286.2291/1215 (voice/fax)          Code 660, NASA/GSFC
>>> michael.ar...@nasa.gov                 Greenbelt, MD 20771
>>>
>>> _______________________________________________
>>> Debian-astro-maintainers mailing list
>>> debian-astro-maintain...@lists.alioth.debian.org
>>> https://lists.alioth.debian.org/mailman/listinfo/debian-astro-maintainers
>>
>> This has been assigned has been assigned CVE-2018-1000166.
> 
> Looking at
> https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0531
> https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0529
> it looks for those issues already CVE-2018-3848, CVE-2018-3849 and
> CVE-2018-3846 were assigned and CVE-2018-1000166 is duplicate. Can you
> confirm? And if so ask for rejection of CVE-2018-1000166?
> 
> Regards,
> Salvatore

Hi Salvatore,

Looks like you are correct. I've request a rejection of CVE-2018-1000166
from DWF in favour of CVE-2018-3846. I've filed separate RH bugs for
CVE-2018-3848 and CVE-2018-3849.

Thanks for the heads up,
--
Sam Fowler, Red Hat Product Security

Reply via email to