Date: Tue, 07 Oct 2014 17:57:25 -0600 From: Kurt Seifried <kseifried@...hat.com> To: cve-assign@...re.org CC: oss-security@...ts.openwall.com Subject: Re: Discussion: information leakage from server and client software - CVE/hardening/other? On 07/10/14 03:56 PM, cve-assign@...re.org wrote: >> So for example the >> http://boingboing.net/2014/10/07/adobe-ebook-drm-secretly-build.html >> article would indicate to me that this is CVE worthy under #4 > > Currently not; Adobe has a statement quoted at: > > http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/ > > indicating that the information disclosure is intentional, and is > (from their point of view) useful to them. This is just an example of > a behavior that might also occur in an open-source product. The Adobe > issue itself is off-topic for this list. Then by that measure we could for example have challenged CVE-2011-4083 for example saying that it is useful to us. The same would go for any "unsanitized" log file submissions. I fear this is a slippery slope where vendors can effectively game their CVE numbers with "oh we meant to do that" which makes CVE much less useful =( -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.