Date: Thu, 6 Mar 2014 15:32:24 -0500 (EST) From: cve-assign@...re.org To: hanno@...eck.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: konqueror not providing any protection against clickjacking -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > It may be debatable if that's a CVE issue, because it's basically a > "there's a general vulnerability in the way HTML/JS is done, there's a > protection mechanism and product X doesn't have it". Comprehensively tracking the introduction of new protection mechanisms and new security features across all browsers is not directly in the scope of CVE. There are a number of cases described either in older documents such as http://code.google.com/p/browsersec or newer documents such as http://www.strews.eu/results/5-web-platform-security-guide in which some browsers have chosen to block a type of attack whereas others have not. At the moment, these types of "competitive analysis" CVE requests may be deferred. In other words, CVE isn't really "about" a product suddenly transitioning from non-vulnerable to vulnerable solely because its development effort has lagged behind its competitors in a sufficiently important way for a sufficiently long period of time. The author of a product is free to announce software mistakes, and there may be opportunities for CVE assignments in cases of new codebases lacking a security feature that was already more-or-less ubiquitous before the software was written. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTGNq6AAoJEKllVAevmvmshoIH/A6sHp+gzIB2HxknclfLVEgr CbNFRRAykrxCthQbAM8IzET941ZdxT0vFu8ctT95o/+aT3R0pXVsGckjdqFqUwzf UEXmrtXYjCGY9RJBs+M20R3ZCWHrx9HCJ88MOEGc8G/JQy/mcumETn3XZ0+PixQA KOqbHLsD5T8HwFM2K2qP3gYefAc/PUYumcFmxfbw9k+MP/vvmCNsFRXlUnJJkIWX thdCpz9WTK9ihuJY99EUCAdAkWJHyrlz9px5j5lojHfC4ZY1gLUc2+fYJSPJbqMX Qc4UMTvuomelxl9hJZh1PTKvPVu+gK+xQXe1/kqXNex3zHM0rx+ueXgk6W4QEkM= =1SBL -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.