[VIM] Oracle intentionally requesting duplicate CVEs?

security curmudgeon jericho at attrition.org
Sat Jan 16 01:23:31 UTC 2010


Drop down to the BEA Product Suite matrix, first entry is for 
CVE-2010-0079 covering the JRocket component with 'See Note 1':

Sun MicroSystems released a Security Alert in November 2009 to address 
multiple vulnerabilities affecting the Sun Java Runtime Environment. 
Oracle CVE-2010-0079 refers to the advisories that were applicable to 
JRockit from the Sun Alert. The CVSS score of this vulnerability CVE# 
reflects the highest among those fixed in JRockit. The score is calculated 
by National Vulnerability Database (NVD), not Oracle. The complete list of 
all advisories addressed in JRockit under CVE-2010-0079 is as follows: 
CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, 
CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877.


This wording seems pretty clear that Oracle takes 2010-0079 to be a 
'summary' CVE that covers ten previously assigned CVE candidates.

This seems to go against the publicly defined CVE assigning process.

More information about the VIM mailing list