Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 21 Sep 2010 10:55:17 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: epiphany not checking ssl certs

Please use CVE-2010-3312 for this.

Thanks.

-- 
    JB


----- "Michael Gilbert" <michael.s.gilbert@...il.com> wrote:

> On Fri, 17 Sep 2010 14:45:28 -0400 (EDT), Steven M. Christey wrote:
> > 
> > If an application does not advertise a security feature, then in
> general 
> > we will not give a CVE because of its absence of the feature (I
> don't want 
> > to give out 50,000 CVEs for every protocol that does cleartext 
> > transmission... or uses DES... etc.)  Similarly, we generally avoid
> 
> > assigning CVEs to "defense in depth" fixes, although the line
> between 
> > "vulnerability" and "defense in depth" can get fuzzy.
> > 
> > The http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564690#5 title
> says 
> > "Does not longer check certificates" which could be interpreted to
> mean 
> > that it used to check certs, and now it doesn't.  If that's the
> case, then 
> > it makes sense to assign a CVE.
> 
> The feature was lost in the transition from gecko to webkit (or more
> accurately libsoup for certificate support). I think it makes sense
> to
> assign an id since it does involve the loss of an expected security
> feature.
> 
> Mike

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ