Date: Thu, 19 Nov 2015 04:18:42 +0300 From: Solar Designer <solar@...nwall.com> To: "Zach W." <kestrel@...linux.us> Cc: oss-security@...ts.openwall.com Subject: Re: CVE-2015-7266 On Wed, Nov 18, 2015 at 03:58:14PM -0800, Zach W. wrote: > Anybody have any idea what the deal is with this CVE, since it's > referenced in http://media.pixalate.com/white-papers/xindi.pdf? It's > being splattered all over the news, but the CVE is still in "reservered" Kurt has already commented on the CVE aspect, but I'd like to point out that the Subject line of this message is inappropriate, especially given that the message body didn't include the required detail as well. Subjects must be descriptive, whereas including only a CVE ID is not. (If another moderator were not quick to approve Zach's message, I would insist on the Subject being corrected first.) Going to the URL in Zach's message, I see that page 6 of the PDF says: "The Amnesia Bug is a critical vulnerability (CVE-2015-7266) in the OpenRTB v2.3 protocol implementation, which is the standard for real-time digital media buying and selling. This vulnerability allows fraudsters to conceal the true status of an ad transaction [...]" I think the above detail must have been included in Zach's message, in order not to waste people's time on figuring out whether the vulnerability is relevant to them (upon reading this, most people would conclude that it is not). And a proper Subject could be: "CVE-2015-7266 - OpenRTB 2.3 protocol implementation Amnesia Bug" as per these guidelines: http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines "When applicable, the message Subject must include the name and version(s) of affected software, and vulnerability type. For example, a Subject saying only "CVE request" or "CVE-2099-99999" is not appropriate, whereas "CVE request - Acme Placeholder 1.0 buffer overflow" or "CVE-2099-99999 - Acme Placeholder 1.0 buffer overflow" would be OK." Another issue with having this on oss-security is that it's unclear whether the OpenRTB implementation in question is Open Source or not. The OpenRTB specification is on GitHub: http://openrtb.github.io/OpenRTB/ https://github.com/openrtb/OpenRTB but it is unclear where implementations are, and which one is affected. Overall, I'd like oss-security to be more focused on technical detail, and less on CVEs. I can tolerate postings that include both technical detail and CVE IDs or requests (and if getting a CVE ID is why someone posts, that's fine, as long as the very same message also brings valuable detail to this community). I won't tolerate CVE-only postings lacking any detail at all (and referencing an external PDF without even mentioning the software or technology in question is not good enough). Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ