Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 02 Mar 2016 08:53:51 -0500
From: Steve Grubb <sgrubb@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>, Bob Beck <beck@...nbsd.org>,
        CVE ID Requests <cve-assign@...re.org>
Subject: Re: Re: CVE's for SSLv2 support

On Tuesday, March 01, 2016 09:16:05 PM Kurt Seifried wrote:
> On Tue, Mar 1, 2016 at 9:03 PM, Bob Beck <beck@...nbsd.org> wrote:
> > While you certainly won't see me defending SSLv2 (I think we were the
> > first to delete it outright)
> > there are many other things that currently fall into that category..
> > I'm agreeing with your sentiment
> > but if you are to consider usage of SSLv2 as CVE worthy, then you will
> > need to do the same for SSH version 1,
> > among other things.   So while I certainly appreciate and even agree
> > with your sentiment, it seems rather timed
> > politically based on a decision made by one implementaiton of SSL/TLS
> > that reflects a decision made by most other
> > implementations long ago.   So far from me to say what CVE's should
> > and shouldn't be used for and issued for, but
> > if this is the road we're going down can I please have permission to
> > use your above quoted paragraph
> > with s/SSLv2/SSH V1/g to request a CVE for *usage or support* of SSH
> > version 1? You said it perfectly.
> 
> I would be totally fine with that, SSH protocol v1 is long overdue for
> "needs to be taken out back and shot along with whoever enabled it by
> default". From OpenSSH's sshd_config:
> 
> # The default requires explicit activation of protocol 1
> 
> I think that says it all.

I'm not entirely sure that CVE is the right vehicle to express the issue. 
Exploitation of this would be an attacker uses code to exploit a poor 
implementation or design problem. There are code weaknesses tracked by CWE, 
vulnerabilities in implementations tracked by CVE, and attacks tracked by 
CAPEC. They reference each other as follows CAPEC->CVE->CWE.

Maybe a CWE somewhere in this category is what you are after:
https://cwe.mitre.org/data/definitions/958.html

-Steve

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ