Date: Tue, 21 Sep 2010 10:55:17 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: epiphany not checking ssl certs Please use CVE-2010-3312 for this. Thanks. -- JB ----- "Michael Gilbert" <michael.s.gilbert@...il.com> wrote: > On Fri, 17 Sep 2010 14:45:28 -0400 (EDT), Steven M. Christey wrote: > > > > If an application does not advertise a security feature, then in > general > > we will not give a CVE because of its absence of the feature (I > don't want > > to give out 50,000 CVEs for every protocol that does cleartext > > transmission... or uses DES... etc.) Similarly, we generally avoid > > > assigning CVEs to "defense in depth" fixes, although the line > between > > "vulnerability" and "defense in depth" can get fuzzy. > > > > The http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564690#5 title > says > > "Does not longer check certificates" which could be interpreted to > mean > > that it used to check certs, and now it doesn't. If that's the > case, then > > it makes sense to assign a CVE. > > The feature was lost in the transition from gecko to webkit (or more > accurately libsoup for certificate support). I think it makes sense > to > assign an id since it does involve the loss of an expected security > feature. > > Mike
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ