Date: Thu, 15 Jun 2017 10:14:38 -0700 From: Feng Cao <feng.cao@...cle.com> To: oss-security@...ts.openwall.com CC: Kurt Seifried <kseifried@...hat.com> Subject: Re: Re: MySQL - use-after-free after mysql_stmt_close() There are several issues which need to be addressed before considering CVE for documentation. First, most of the documentations have no version control. Second, CPE doesn't have such a category. Third, it can easily generate the confusion with CVE for the code fix. My vote is no. Thanks, --Feng On 6/15/2017 7:21 AM, Kurt Seifried wrote: > This does bring up an old question: > > Should we assign CVEs for code examples/documentation? E.g. We assign CVEs > for code shipped to people in digital form. Why not assign CVEs for code in > documentation or commonly used examples? We can go with the rational that > CVEs get assigned to the affected code bases (e.g. when someone implements > that documentation/code), but it might also be good to educate the > community about bad examples/documentation/etc. > > My thinking is: > > 1) Official documentation that says "do this [insecure thing]" should > probably get a CVE (e.g. "turn off all the encryption to make it work more > easily"). This should probably get a CVE, especially as it results in > operational changes which won't get a CVE (since it's not in code that > "ships", it's just on the end of whoever is using it). > > 2) Official code examples, as above, actual implementations get CVEs, it > might be useful to raise awareness that the example is bad. > > 3) Unofficial but commonly used documentation and code examples, I guess > the best example here is stackoverflow and friends? > > Thoughts/comments (feel free to reply privately if you don't want to be > public)? I'd like to collect what people think and then present it to the > CVE board later (this has been on my long term todo list). > > > On Thu, Jun 15, 2017 at 7:50 AM, Adam Maris <amaris@...hat.com> wrote: > >> On Mon, 2017-06-12 at 23:47 +0200, Pali Rohár wrote: >>> Hello! >>> >>> Any idea how to handle this particular problem? >>> >>> >> Hi! >> >> Given that Oracle (silently) updated the vulnerable example in their >> documentation, this likely indicates the way to handle this - >> applications that copied the vulnerable example needs to be fixed and >> CVEs will be assigned per application. >> >> Best Regards, >> >> -- >> Adam Mariš, Red Hat Product Security >> 1CCD 3446 0529 81E3 86AF 2D4C 4869 76E7 BEF0 6BC2 >> > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ