Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 02 Mar 2016 08:53:51 -0500
From: Steve Grubb <>
Cc: Kurt Seifried <>, Bob Beck <>,
        CVE ID Requests <>
Subject: Re: Re: CVE's for SSLv2 support

On Tuesday, March 01, 2016 09:16:05 PM Kurt Seifried wrote:
> On Tue, Mar 1, 2016 at 9:03 PM, Bob Beck <> wrote:
> > While you certainly won't see me defending SSLv2 (I think we were the
> > first to delete it outright)
> > there are many other things that currently fall into that category..
> > I'm agreeing with your sentiment
> > but if you are to consider usage of SSLv2 as CVE worthy, then you will
> > need to do the same for SSH version 1,
> > among other things.   So while I certainly appreciate and even agree
> > with your sentiment, it seems rather timed
> > politically based on a decision made by one implementaiton of SSL/TLS
> > that reflects a decision made by most other
> > implementations long ago.   So far from me to say what CVE's should
> > and shouldn't be used for and issued for, but
> > if this is the road we're going down can I please have permission to
> > use your above quoted paragraph
> > with s/SSLv2/SSH V1/g to request a CVE for *usage or support* of SSH
> > version 1? You said it perfectly.
> I would be totally fine with that, SSH protocol v1 is long overdue for
> "needs to be taken out back and shot along with whoever enabled it by
> default". From OpenSSH's sshd_config:
> # The default requires explicit activation of protocol 1
> I think that says it all.

I'm not entirely sure that CVE is the right vehicle to express the issue. 
Exploitation of this would be an attacker uses code to exploit a poor 
implementation or design problem. There are code weaknesses tracked by CWE, 
vulnerabilities in implementations tracked by CVE, and attacks tracked by 
CAPEC. They reference each other as follows CAPEC->CVE->CWE.

Maybe a CWE somewhere in this category is what you are after:


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ