CVE-2018-10886 Clarify why we kept the CVE

author: Salvatore Bonaccorso <carnil@debian.org> 2020-12-21 14:55:27 +0100
committer: Salvatore Bonaccorso <carnil@debian.org> 2020-12-21 14:55:27 +0100
commit: 54734e35d6d51892535606462ab1295f5f752d94 (patch)
tree: f91019b04d2981abed5eba8cd554d26123d145c7 /data/CVE/2018.list
parent: 3b76477149af3003e4bbbdfa5f4d29b2f2c50a21 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/data/CVE/2018.list b/data/CVE/2018.list
index e62a263f6b..9f1de715b5 100644
--- a/data/CVE/2018.list
+++ b/data/CVE/2018.list
@@ -27674,8 +27674,10 @@ CVE-2018-10886
 	NOTE: https://github.com/apache/ant/commit/f72406d53cfb3b3425cc9d000eea421a0e05d8fe
 	NOTE: https://github.com/apache/ant/commit/857095da5153fd18504b46f276d84f1e76a66970
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1584407
-	NOTE: The CVE will be rejected, as it was assigned by Red Hat's CNA but is out of
-	NOTE: scope of the assigning CNA.
+	NOTE: The CVE was rejected, as it was assigned by Red Hat's CNA but is out of
+	NOTE: scope of the assigning CNA. The rejection was not due to technical invalid
+	NOTE: issue but because it was assigned by a CNA which did not cover the scope
+	NOTE: for ant. Would fall under Apache CNA instead.
 CVE-2018-10885 (In atomic-openshift before version 3.10.9 a malicious network-policy c ...)
 	NOT-FOR-US: atomic-openshift
 CVE-2018-10884 (Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-s ...)
author	Salvatore Bonaccorso <carnil@debian.org>	2020-12-21 14:55:27 +0100
committer	Salvatore Bonaccorso <carnil@debian.org>	2020-12-21 14:55:27 +0100
commit	54734e35d6d51892535606462ab1295f5f752d94 (patch)
tree	f91019b04d2981abed5eba8cd554d26123d145c7 /data/CVE/2018.list
parent	3b76477149af3003e4bbbdfa5f4d29b2f2c50a21 (diff)