Date: Fri, 17 Sep 2010 14:58:55 -0400 From: Michael Gilbert <michael.s.gilbert@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: epiphany not checking ssl certs On Fri, 17 Sep 2010 14:45:28 -0400 (EDT), Steven M. Christey wrote: > > If an application does not advertise a security feature, then in general > we will not give a CVE because of its absence of the feature (I don't want > to give out 50,000 CVEs for every protocol that does cleartext > transmission... or uses DES... etc.) Similarly, we generally avoid > assigning CVEs to "defense in depth" fixes, although the line between > "vulnerability" and "defense in depth" can get fuzzy. > > The http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564690#5 title says > "Does not longer check certificates" which could be interpreted to mean > that it used to check certs, and now it doesn't. If that's the case, then > it makes sense to assign a CVE. The feature was lost in the transition from gecko to webkit (or more accurately libsoup for certificate support). I think it makes sense to assign an id since it does involve the loss of an expected security feature. Mike
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ