Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 19 Nov 2015 04:18:42 +0300
From: Solar Designer <solar@...nwall.com>
To: "Zach W." <kestrel@...linux.us>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2015-7266

On Wed, Nov 18, 2015 at 03:58:14PM -0800, Zach W. wrote:
> Anybody have any idea what the deal is with this CVE, since it's
> referenced in http://media.pixalate.com/white-papers/xindi.pdf? It's
> being splattered all over the news, but the CVE is still in "reservered"

Kurt has already commented on the CVE aspect, but I'd like to point out
that the Subject line of this message is inappropriate, especially given
that the message body didn't include the required detail as well.
Subjects must be descriptive, whereas including only a CVE ID is not.
(If another moderator were not quick to approve Zach's message, I would
insist on the Subject being corrected first.)

Going to the URL in Zach's message, I see that page 6 of the PDF says:

"The Amnesia Bug is a critical vulnerability (CVE-2015-7266) in the
OpenRTB v2.3 protocol implementation, which is the standard for
real-time digital media buying and selling.  This vulnerability allows
fraudsters to conceal the true status of an ad transaction [...]"

I think the above detail must have been included in Zach's message, in
order not to waste people's time on figuring out whether the
vulnerability is relevant to them (upon reading this, most people would
conclude that it is not).  And a proper Subject could be:

"CVE-2015-7266 - OpenRTB 2.3 protocol implementation Amnesia Bug"

as per these guidelines:

http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

"When applicable, the message Subject must include the name and
version(s) of affected software, and vulnerability type.  For example, a
Subject saying only "CVE request" or "CVE-2099-99999" is not appropriate,
whereas "CVE request - Acme Placeholder 1.0 buffer overflow" or
"CVE-2099-99999 - Acme Placeholder 1.0 buffer overflow" would be OK."

Another issue with having this on oss-security is that it's unclear
whether the OpenRTB implementation in question is Open Source or not.

The OpenRTB specification is on GitHub:

http://openrtb.github.io/OpenRTB/
https://github.com/openrtb/OpenRTB

but it is unclear where implementations are, and which one is affected.

Overall, I'd like oss-security to be more focused on technical detail,
and less on CVEs.  I can tolerate postings that include both technical
detail and CVE IDs or requests (and if getting a CVE ID is why someone
posts, that's fine, as long as the very same message also brings
valuable detail to this community).  I won't tolerate CVE-only postings
lacking any detail at all (and referencing an external PDF without even
mentioning the software or technology in question is not good enough).

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.