Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4996 to the following vulnerability: ** DISPUTED ** Xfce4-session 4.5.91 in Xfce does not lock the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532. NOTE: there is no general agreement that this is a vulnerability, because separate control over locking can be an equally secure, or more secure, behavior in some threat environments. References: [1] http://bugzilla.xfce.org/show_bug.cgi?id=4805 [2] https://bugzilla.redhat.com/show_bug.cgi?id=525395 [3] https://bugzilla.redhat.com/show_bug.cgi?id=587633 [4] https://bugzilla.redhat.com/show_bug.cgi?id=614608
Who requested this CVE? Has there been any attempt to contact upstream? If not, why doesn't RH Security response not do this?
Hi Christoph, this CVE was assigned recently by Mitre: [1] http://cve.mitre.org/ The very only purpose this Red Hat Bugzilla entry has been filed for is to track the particular CVE id for future purpose (for case some of the customers will ask for information regarding it) and perform its further research (to determine if the described behavior can impersonate a security threat). It is possible after the research is complete, this bug will be closed (with appropriate resolution). But till that moment we need to track it and need a way how to reference it. Hope this helps. Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Thanks for your reply, Jan. (In reply to comment #2) > this CVE was assigned recently by Mitre: AFAIK there usually is somebody to *request* the CVE from Mitre before it gets actually assigned. I would have expected this person to contact upstream first (which I did in the meantime).
Jan, can you tell me who actually requested the CVE?
Hi Christoph, unfortunately I can't. We found out about this report from new CVE-2009-4996 CVE identifier description from the Mitre CVE database, once it was assigned. So I do not know on which basis this was assigned. But when looking at the CVE-2009-4996 references: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4996 it looks the earliest entry, which (probably) went to CVE assignment is the upstream bug report: [2] https://bugzilla.xfce.org/show_bug.cgi?id=4805 But you can privately check with Steven Christey of Mitre to be definitely sure about the catalyst which went to the assignment. Hope this helps. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team (In reply to comment #4) > Jan, can you tell me who actually requested the CVE?
A solution make be from this other related solution: https://github.com/linuxmint/cinnamon/issues/4324#issuecomment-1685426989