Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Jun 2014 12:42:00 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: Re: Question regarding CVE applicability of missing
 HttpOnly flag

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 27/06/14 10:35 AM, Vincent Danen wrote:
> On 06/26/2014, at 10:00 AM, Kurt Seifried wrote:
> 
>> On 26/06/14 05:45 AM, Jamie Strandboge wrote:
>>> Based on this email and the one this is in response to, I find
>>> this comment unclear. Is MITRE saying that:
>>> 
>>> a) lack of implementing SELinux, AppArmor, virus scanner,
>>> firewall, <insert hardening software here> does not justify a
>>> CVE because of the complexity? b) lack of implementing SELinux,
>>> AppArmor, virus scanner, firewall, <insert hardening software
>>> here> does not justify a CVE and also cannot be considered an
>>> implementation error because of the complexity? c) implementing
>>> SELinux, AppArmor, virus scanner, firewall, and/or <insert
>>> hardening software here> is not worth it because the added
>>> complexity intrinsically makes the system less secure? d)
>>> something else?
>>> 
>>> Thanks
>> 
>> So one comment on this, replace the above with "DAC" 
>> (http://en.wikipedia.org/wiki/Discretionary_access_control) and I
>> bet we'd hand it a CVE =).
>> 
>> Security lines move, I would expect most modern system of any
>> type (Windows, Linux, router, maybe not my bathroom scale that
>> talks wifi... yet) to have some sort of firewall enabled by
>> default and not simply leave everything exposed to the world. So
>> in that case not having a fire enabled by default would
>> definitely violate the principle of least surprise and maybe even
>> qualify for a CVE.
> 
> Wait.  You're saying that not having a firewall enabled by default
> qualifies for a CVE?  I mean, firewalls are pretty common sense and
> should definitely be used/available/whatever but to say that an
> operating system or device doesn't have a firewall enabled by
> default should have a CVE assigned seems... excessive, doesn't it?

I'm saying in quite a few common situations it should probably qualify
for a CVE. Not every single situation. Same for HTTPOnly.
> 
> How is not having a firewall enabled by default a _vulnerability_?
> If we look at it this way, it's a good thing CVEs go past 9999 per
> year because we need to change everything we used to call
> "hardening" to be a vulnerability, do we not?

How is not having DAC a _vulnerability_? and yet now DAC support is
required....


- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTrbr4AAoJEBYNRVNeJnmTOvoP/it6lxjM/fO4LnerZJaEAkBu
AijbL8S4VmN0TNw7Dgkz6AB10fJAAufFzSquWmkJrg0LdxD56l1TGp2mFN8aKDvy
QaBColFlMCo2vqD1e9h3Pa/9JtP+De7ClzJPL0ZVGvYoUyX0QE6tSEAyN+H4mBiG
vYaRZexT9gIdLMIXznpDRizPXpbivEHhwFsYt5BEggJAAmtWUoROp8jdCaksWcrm
XR4Q+YiqwkLHXyxMb8ammUmOGAl3UUNbTNwYF++ExrR5ODahorflY1xfXheXcZPG
yZUbkPMix/KPuMwOznfGapaoXDwKfx2J13LaSZEvcxY2LrX1rEyQhQcyg4GLpllt
yeSRSf8rMGUOk6sSjUXDnxvPgG4s+Lu4bbsDG4+MDlO0HxX098JyCyvcmDoJLSYd
BBETEP5Ru5alI30lZV04dH+2mh8XLo2gBHlkiE7COEEYVpMJGXuoawxYpBq7ftoT
mHejJZ7KkJRQCjLzTPb7Z8ZMOJKUnqBUaI1LnozdxD2AsaJsNdbRiSHdz0eEMzTW
BC+Bw6h9Y2GpnP8eMq22F1ODW9nfaKR+ANepMirZVVC1wFxluZGhj0ejlIfNdxKU
SRavu6q8mkGEPtuDkscfAo8pcwRlK4PFjsh87HwFKLVJl627aCLkCMIaJhQf0a/C
71dwHYIa4Mk7mwa+O7s2
=NlLO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.