Date: Fri, 27 Jun 2014 19:09:03 -0600 From: "Vincent Danen" <vdanen@...hat.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com, jamie@...onical.com Subject: Re: Question regarding CVE applicability of missing HttpOnly flag On 06/27/2014, at 14:03 PM, cve-assign@...re.org wrote: >> I suppose maybe there is a CWE for not having a virus scanner, which >> makes sense as that could be considered an overall system weakness. > > Neither CVE nor CWE attempts to cover the general topic of system > integration, i.e., questions such as "given the composition and role > of this entire system, is it unreasonable to omit a virus scanner?" In > practice, both CVE and CWE often tend to be about questions that may > come up when considering somewhere around one line of code or one file > of code. (This is just an observational statement, not an attempt to > redefine why CVE and CWE exist.) Typical audiences may include (among > others) developers who need to write a line of code safely or system > administrators who need to patch a faulty line of code. > > This doesn't mean that there's any objection to someone taking the > position that lack of a virus scanner is the most serious security > concern that they see in an entire system. This is a valid perspective > but is outside of the problem spaces in which CVE and CWE have been > operating. Even if everyone were looking at "whether or not a flaw is > a flaw" decisions in precisely the same way, a conclusion of "yes, > this system would really benefit from a virus scanner" leaves open the > question of the best place to capture that information. Then shouldn't be the same be true of the HttpOnly flag? That line of thought is pretty much what I think in regards to that flag. I don't know if you missed my comment in an earlier message, so I'll note it below because I think this is the real point: "Kurt's argument about everything having an XSS makes it sound like, and the reasoning provided here as well, that we should no longer consider XSS a security flaw, but the absence of HttpOnly the security flaw. I mean, if setting this flag "fixes" all XSS issues, then we should no longer be assigning CVEs to XSS issues, only to web servers/services that do not set HttpOnly or browsers that do not respect/handle it properly. They can't _both_ get CVEs or be considered flaws, can they?" -- Vincent Danen / Red Hat Product Security Download attachment "signature.asc" of type "application/pgp-signature" (711 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ