Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 07 Oct 2014 17:57:25 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: cve-assign@...re.org
CC: oss-security@...ts.openwall.com
Subject: Re: Discussion: information leakage from server and client software
 - CVE/hardening/other?



On 07/10/14 03:56 PM, cve-assign@...re.org wrote:
>> So for example the
>> http://boingboing.net/2014/10/07/adobe-ebook-drm-secretly-build.html
>> article would indicate to me that this is CVE worthy under #4
> 
> Currently not; Adobe has a statement quoted at:
> 
>   http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/
> 
> indicating that the information disclosure is intentional, and is
> (from their point of view) useful to them. This is just an example of
> a behavior that might also occur in an open-source product. The Adobe
> issue itself is off-topic for this list.

Then by that measure we could for example have challenged CVE-2011-4083
for example saying that it is useful to us. The same would go for any
"unsanitized" log file submissions. I fear this is a slippery slope
where vendors can effectively game their CVE numbers with "oh we meant
to do that" which makes CVE much less useful =(


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.