Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 26 Jun 2014 10:00:33 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: Re: Question regarding CVE applicability of missing
 HttpOnly flag

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26/06/14 05:45 AM, Jamie Strandboge wrote:
> Based on this email and the one this is in response to, I find this
> comment unclear. Is MITRE saying that:
> 
> a) lack of implementing SELinux, AppArmor, virus scanner, firewall,
> <insert hardening software here> does not justify a CVE because of
> the complexity? b) lack of implementing SELinux, AppArmor, virus
> scanner, firewall, <insert hardening software here> does not
> justify a CVE and also cannot be considered an implementation error
> because of the complexity? c) implementing SELinux, AppArmor, virus
> scanner, firewall, and/or <insert hardening software here> is not
> worth it because the added complexity intrinsically makes the
> system less secure? d) something else?
> 
> Thanks

So one comment on this, replace the above with "DAC"
(http://en.wikipedia.org/wiki/Discretionary_access_control) and I bet
we'd hand it a CVE =).

Security lines move, I would expect most modern system of any type
(Windows, Linux, router, maybe not my bathroom scale that talks
wifi... yet) to have some sort of firewall enabled by default and not
simply leave everything exposed to the world. So in that case not
having a fire enabled by default would definitely violate the
principle of least surprise and maybe even qualify for a CVE.

- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTrEOhAAoJEBYNRVNeJnmTqYoP/jcw48aEYnV1G974RVAg/FcJ
DQ8RCTvm7zUEXAI4pS+is/2iQ+TdAZnuPQzLSA9fVme3cRIgu5Au2kBT//UTCcd2
v6TCwtjBWr7qnt1MeFwa2+6c8QOoX3Vx/bH7b0mfN2M4g3t273dnvrdWLioeLt3J
LrxgtqYnL+ohXitVZRwKOqG9WFaKRyuT0ukhEgUgzVsCKI0wFX2t1W2fvWc2e0iL
PPpItcO5zMVGe3JVYM91hGc/d5pwr5qd9ip6tB+6X30XdVArFp0Lp3uzP2qRX53z
SA4uNdkUTdMKnLG3QMU42GpC2Wp2PK4a8r40libWgJbaIlR1zseiUbjcg9gz1/b+
w/RkNWE3YQ3fyKLiQh1iXU3VnIoqNrOaXP6iHLYTot7rKJKx9p8PQu8wyDETaRcs
5+Xy8ouOgVTvLaR6sPGgMaP59QOeX2NyX2HDok2R6I0Gq+jg3Avyp9OowkxnM8AZ
byzyf8KrUqeW4nY5tHT4b6tUJbrEuQ2Z4AL2ApI/N3sagMkQLvnyD3AB/gkVcwxI
UroTxEnhmHaSiMYa1+Eeqh7/+vNsQddFMH1j/MavPtvMOwz6/itLOZs7A/i4YMWt
surAlpJP5llL3gdSZQ4j5oSmWS/1CmkqKAEeObbhwqJ6FG+vRRIRGKRL6h9LNLHG
2KHAU//lPwePVp/+qvsU
=yV4Z
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.