Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 6 Mar 2014 15:32:24 -0500 (EST)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: konqueror not providing any protection against clickjacking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> It may be debatable if that's a CVE issue, because it's basically a
> "there's a general vulnerability in the way HTML/JS is done, there's a
> protection mechanism and product X doesn't have it".

Comprehensively tracking the introduction of new protection mechanisms
and new security features across all browsers is not directly in the
scope of CVE. There are a number of cases described either in older
documents such as http://code.google.com/p/browsersec or newer
documents such as
http://www.strews.eu/results/5-web-platform-security-guide in which
some browsers have chosen to block a type of attack whereas others
have not. At the moment, these types of "competitive analysis" CVE
requests may be deferred. In other words, CVE isn't really "about" a
product suddenly transitioning from non-vulnerable to vulnerable
solely because its development effort has lagged behind its
competitors in a sufficiently important way for a sufficiently long
period of time. The author of a product is free to announce software
mistakes, and there may be opportunities for CVE assignments in cases
of new codebases lacking a security feature that was already
more-or-less ubiquitous before the software was written.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTGNq6AAoJEKllVAevmvmshoIH/A6sHp+gzIB2HxknclfLVEgr
CbNFRRAykrxCthQbAM8IzET941ZdxT0vFu8ctT95o/+aT3R0pXVsGckjdqFqUwzf
UEXmrtXYjCGY9RJBs+M20R3ZCWHrx9HCJ88MOEGc8G/JQy/mcumETn3XZ0+PixQA
KOqbHLsD5T8HwFM2K2qP3gYefAc/PUYumcFmxfbw9k+MP/vvmCNsFRXlUnJJkIWX
thdCpz9WTK9ihuJY99EUCAdAkWJHyrlz9px5j5lojHfC4ZY1gLUc2+fYJSPJbqMX
Qc4UMTvuomelxl9hJZh1PTKvPVu+gK+xQXe1/kqXNex3zHM0rx+ueXgk6W4QEkM=
=1SBL
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.