Date: Wed, 31 Oct 2012 10:27:51 -0400 (EDT) From: "Steven M. Christey" <coley@...-smtp.mitre.org> To: Kurt Seifried <kseifried@...hat.com> cc: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...-smtp.mitre.org>, Josh Bressers <bressers@...hat.com> Subject: Re: Strange CVE situation (at least one ID should come of this) On Tue, 30 Oct 2012, Kurt Seifried wrote: > > On 10/30/2012 11:34 AM, Steven M. Christey wrote:> >> >> To have a CVE for "don't use this" is not consistent with >> long-existing practice. I don't recall ever intentionally >> assigning a CVE for such a thing - after all, CVE is about >> vulnerabilities, and "don't use this" is awfully vague. > > True, but we've already gone down that road, e.g.: > > CVE-2012-2400 Unspecified vulnerability in > wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown > impact and attack vectors. That's not the same as a generic "don't use this." For this CVE-2012-2400, there is a specific advisory from a specific vendor telling customers to patch a vulnerability. It's "unspecified" all over the place due to lack of details, so risk analysis is problematic, but it's a statement of some kind of vulnerability in a specifc version by an authoritative source. Oracle and HP publish advisories like this on a regular basis. >> Deployment of risky software is effectively a configuration or >> asset management issue, which is well outside the scope of CVE. >> (Maybe it's more like a Common Configuration Enumeration (CCE) >> issue.) > > If anything I think it would fit into CPE CPE is neutral on security - it's just about identifying software packages and versions. One main use is in vulnerability management, but it's more general than that. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.