Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 May 2018 01:17:36 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: Kurt Seifried <kseifried@...hat.com>,
 oss-security <oss-security@...ts.openwall.com>
Cc: Kees Cook <keescook@...omium.org>, "Serge E. Hallyn" <serge@...lyn.com>,
 Brad Spengler <spender@...ecurity.net>, PaX Team <pageexec@...email.hu>,
 James Morris <jmorris@...ei.org>,
 "Reshetova, Elena" <elena.reshetova@...el.com>
Subject: Re: Re: Linux Kernel Defence Map

On 05.04.2018 02:55, Kurt Seifried wrote:
> Please use a CWE identifier if one exists (https://cwe.mitre.org/), if one
> doesn't exist perhaps we should have one (email me and I'm happy to help get
> that ball rolling). Having a CWE not only helps categorize things correctly but
> gives us something to point developers at for resources around flaws and how
> they can be avoided/dealt with/etc. 

Hello Kurt,

I've just added the corresponding CWE IDs to the vulnerability classes showed on
the map: https://github.com/a13xp0p0v/linux-kernel-defence-map

It think there is only one vuln class that misses a CWE ID -- Stack Depth
Overflow. We currently have CWE-674 (Uncontrolled Recursion), but it doesn't
cover the Stack Clash case, which also refers to Stack Depth Overflow.

Best regards,
Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ