CVE-ID mix-up/inconsistencies?

On 7/25/2019 6:24 AM, Axel Beckert wrote:

Hi Japheth,

On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:

The specific CVEs in question are:
 ? CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,

                                                                ^^^

 ? CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486

                ^^^

But in the information for Xymon packagers you wrote a slightly
differing set of CVE-IDs:

The CVEs in question are:
     history.c (service overflows histlogfn) = CVE-2019-13451
     reportlog.c (service overflows histlogfn) = CVE-2019-13452
     csvinfo.c (srdb overflows dbfn) = CVE-2019-13273

                                                    ^^^

     csvinfo.c (reflected XSS) = CVE-2019-13274

                                              ^^^

     acknowledge.c (htmlquoted(hostname) overflows msgline) = CVE-2019-13455
     appfeed.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13484
     history.c (hostname overflows selfurl) = CVE-2019-13485
     svcstatus.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13486

Which ones are the correct ones? I used the latter ones in my
changelog entry for the Debian package.

		Kind regards, Axel

Thanks, this is indeed a typo. The correct ones are CVE-2019-13*2*73 and 
CVE-2019-13*2*74, sent earlier, numerically the first in this set, both 
involving csvinfo.c (one for an overflow and one for the XSS).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274>;
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273>;

-jc