Date: Wed, 02 Mar 2016 08:53:51 -0500 From: Steve Grubb <sgrubb@...hat.com> To: oss-security@...ts.openwall.com Cc: Kurt Seifried <kseifried@...hat.com>, Bob Beck <beck@...nbsd.org>, CVE ID Requests <cve-assign@...re.org> Subject: Re: Re: CVE's for SSLv2 support On Tuesday, March 01, 2016 09:16:05 PM Kurt Seifried wrote: > On Tue, Mar 1, 2016 at 9:03 PM, Bob Beck <beck@...nbsd.org> wrote: > > While you certainly won't see me defending SSLv2 (I think we were the > > first to delete it outright) > > there are many other things that currently fall into that category.. > > I'm agreeing with your sentiment > > but if you are to consider usage of SSLv2 as CVE worthy, then you will > > need to do the same for SSH version 1, > > among other things. So while I certainly appreciate and even agree > > with your sentiment, it seems rather timed > > politically based on a decision made by one implementaiton of SSL/TLS > > that reflects a decision made by most other > > implementations long ago. So far from me to say what CVE's should > > and shouldn't be used for and issued for, but > > if this is the road we're going down can I please have permission to > > use your above quoted paragraph > > with s/SSLv2/SSH V1/g to request a CVE for *usage or support* of SSH > > version 1? You said it perfectly. > > I would be totally fine with that, SSH protocol v1 is long overdue for > "needs to be taken out back and shot along with whoever enabled it by > default". From OpenSSH's sshd_config: > > # The default requires explicit activation of protocol 1 > > I think that says it all. I'm not entirely sure that CVE is the right vehicle to express the issue. Exploitation of this would be an attacker uses code to exploit a poor implementation or design problem. There are code weaknesses tracked by CWE, vulnerabilities in implementations tracked by CVE, and attacks tracked by CAPEC. They reference each other as follows CAPEC->CVE->CWE. Maybe a CWE somewhere in this category is what you are after: https://cwe.mitre.org/data/definitions/958.html -Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ