It is indeed valid. It is not uncommon for the mitre list to take some time to catch up. The CVE ids are blocked to various CNAs leading to the 5000s being currently assigned.
The discussion where the the CVE is assigned is here: http://www.openwall.com/lists/oss-security/2017/01/08/5 The ref for CVE ids and CNAs is here: https://cve.mitre.org/cve/identifiers/index.html -- Nicholas Luedtke HPE Linux Security, Hewlett Packard Enterprise -----Original Message----- From: Francesco Poli [mailto:[email protected]] Sent: Monday, January 09, 2017 11:14 AM To: Debian Bug Tracking System <[email protected]> Subject: Bug#850728: security-tracker: DSA-3756-1 vs. tracker Package: security-tracker Severity: normal Hello everyone! DSA-3756-1 [1] claims to talk about CVE-2017-5208 [2], but the CVE official list seems to know nothing about it [3]. Actually, have *so many* vulnerabilities been already indexed in the just started year 2017 ?!? Is this a typo? Which is the correct CVE number? Please clarify and fix the tracker data, as appropriate. Thanks for your time! [1] https://lists.debian.org/debian-security-announce/2017/msg00006.html [2] https://security-tracker.debian.org/tracker/CVE-2017-5208 [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5208
