Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 31 Oct 2012 10:27:51 -0400 (EDT)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: Kurt Seifried <kseifried@...hat.com>
cc: oss-security@...ts.openwall.com,
        "Steven M. Christey" <coley@...-smtp.mitre.org>,
        Josh Bressers <bressers@...hat.com>
Subject: Re: Strange CVE situation (at least one ID should
 come of this)


On Tue, 30 Oct 2012, Kurt Seifried wrote:

>
> On 10/30/2012 11:34 AM, Steven M. Christey wrote:>
>>
>> To have a CVE for "don't use this" is not consistent with
>> long-existing practice.  I don't recall ever intentionally
>> assigning a CVE for such a thing - after all, CVE is about
>> vulnerabilities, and "don't use this" is awfully vague.
>
> True, but we've already gone down that road, e.g.:
>
> CVE-2012-2400 	Unspecified vulnerability in
> wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown
> impact and attack vectors.

That's not the same as a generic "don't use this."  For this 
CVE-2012-2400, there is a specific advisory from a specific vendor telling 
customers to patch a vulnerability.  It's "unspecified" all over the place 
due to lack of details, so risk analysis is problematic, but it's a 
statement of some kind of vulnerability in a specifc version by an 
authoritative source.

Oracle and HP publish advisories like this on a regular basis.

>> Deployment of risky software is effectively a configuration or
>> asset management issue, which is well outside the scope of CVE.
>> (Maybe it's more like a Common Configuration Enumeration (CCE)
>> issue.)
>
> If anything I think it would fit into CPE

CPE is neutral on security - it's just about identifying software packages 
and versions.  One main use is in vulnerability management, but it's more 
general than that.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.