Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 31 Oct 2012 10:27:51 -0400 (EDT)
From: "Steven M. Christey" <>
To: Kurt Seifried <>
        "Steven M. Christey" <>,
        Josh Bressers <>
Subject: Re: Strange CVE situation (at least one ID should
 come of this)

On Tue, 30 Oct 2012, Kurt Seifried wrote:

> On 10/30/2012 11:34 AM, Steven M. Christey wrote:>
>> To have a CVE for "don't use this" is not consistent with
>> long-existing practice.  I don't recall ever intentionally
>> assigning a CVE for such a thing - after all, CVE is about
>> vulnerabilities, and "don't use this" is awfully vague.
> True, but we've already gone down that road, e.g.:
> CVE-2012-2400 	Unspecified vulnerability in
> wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown
> impact and attack vectors.

That's not the same as a generic "don't use this."  For this 
CVE-2012-2400, there is a specific advisory from a specific vendor telling 
customers to patch a vulnerability.  It's "unspecified" all over the place 
due to lack of details, so risk analysis is problematic, but it's a 
statement of some kind of vulnerability in a specifc version by an 
authoritative source.

Oracle and HP publish advisories like this on a regular basis.

>> Deployment of risky software is effectively a configuration or
>> asset management issue, which is well outside the scope of CVE.
>> (Maybe it's more like a Common Configuration Enumeration (CCE)
>> issue.)
> If anything I think it would fit into CPE

CPE is neutral on security - it's just about identifying software packages 
and versions.  One main use is in vulnerability management, but it's more 
general than that.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.