Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 6 Mar 2014 15:32:24 -0500 (EST)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: konqueror not providing any protection against clickjacking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> It may be debatable if that's a CVE issue, because it's basically a
> "there's a general vulnerability in the way HTML/JS is done, there's a
> protection mechanism and product X doesn't have it".

Comprehensively tracking the introduction of new protection mechanisms
and new security features across all browsers is not directly in the
scope of CVE. There are a number of cases described either in older
documents such as http://code.google.com/p/browsersec or newer
documents such as
http://www.strews.eu/results/5-web-platform-security-guide in which
some browsers have chosen to block a type of attack whereas others
have not. At the moment, these types of "competitive analysis" CVE
requests may be deferred. In other words, CVE isn't really "about" a
product suddenly transitioning from non-vulnerable to vulnerable
solely because its development effort has lagged behind its
competitors in a sufficiently important way for a sufficiently long
period of time. The author of a product is free to announce software
mistakes, and there may be opportunities for CVE assignments in cases
of new codebases lacking a security feature that was already
more-or-less ubiquitous before the software was written.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTGNq6AAoJEKllVAevmvmshoIH/A6sHp+gzIB2HxknclfLVEgr
CbNFRRAykrxCthQbAM8IzET941ZdxT0vFu8ctT95o/+aT3R0pXVsGckjdqFqUwzf
UEXmrtXYjCGY9RJBs+M20R3ZCWHrx9HCJ88MOEGc8G/JQy/mcumETn3XZ0+PixQA
KOqbHLsD5T8HwFM2K2qP3gYefAc/PUYumcFmxfbw9k+MP/vvmCNsFRXlUnJJkIWX
thdCpz9WTK9ihuJY99EUCAdAkWJHyrlz9px5j5lojHfC4ZY1gLUc2+fYJSPJbqMX
Qc4UMTvuomelxl9hJZh1PTKvPVu+gK+xQXe1/kqXNex3zHM0rx+ueXgk6W4QEkM=
=1SBL
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.