Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Mar 2015 12:54:57 -0400 (EDT)
From: "David A. Wheeler" <>
To: "oss-security" <>
Subject: Re: CVE for Kali Linux

On Sun, 22 Mar 2015 09:49:12 -0600, Kurt Seifried <> wrote:
> I meant from the CVE assignment perspective. This was back in 1999, it's
> only recently (e.g. the last 6 months or so?) that we've moved the
> security bar to:
> downloads of updates via HTTP with no other protection == CVE

On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue.
The Cygwin package manager (which downloaded all other packages) was unprotected
and downloaded using http (as or
They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS).

However, since they were the only site that could (realistically) correct it, I didn't
request a CVE.  (FYI, they quickly repaired that problem once they received the report.)

Should I have requested a CVE?

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.