Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 19 Nov 2015 04:18:42 +0300
From: Solar Designer <>
To: "Zach W." <>
Subject: Re: CVE-2015-7266

On Wed, Nov 18, 2015 at 03:58:14PM -0800, Zach W. wrote:
> Anybody have any idea what the deal is with this CVE, since it's
> referenced in It's
> being splattered all over the news, but the CVE is still in "reservered"

Kurt has already commented on the CVE aspect, but I'd like to point out
that the Subject line of this message is inappropriate, especially given
that the message body didn't include the required detail as well.
Subjects must be descriptive, whereas including only a CVE ID is not.
(If another moderator were not quick to approve Zach's message, I would
insist on the Subject being corrected first.)

Going to the URL in Zach's message, I see that page 6 of the PDF says:

"The Amnesia Bug is a critical vulnerability (CVE-2015-7266) in the
OpenRTB v2.3 protocol implementation, which is the standard for
real-time digital media buying and selling.  This vulnerability allows
fraudsters to conceal the true status of an ad transaction [...]"

I think the above detail must have been included in Zach's message, in
order not to waste people's time on figuring out whether the
vulnerability is relevant to them (upon reading this, most people would
conclude that it is not).  And a proper Subject could be:

"CVE-2015-7266 - OpenRTB 2.3 protocol implementation Amnesia Bug"

as per these guidelines:

"When applicable, the message Subject must include the name and
version(s) of affected software, and vulnerability type.  For example, a
Subject saying only "CVE request" or "CVE-2099-99999" is not appropriate,
whereas "CVE request - Acme Placeholder 1.0 buffer overflow" or
"CVE-2099-99999 - Acme Placeholder 1.0 buffer overflow" would be OK."

Another issue with having this on oss-security is that it's unclear
whether the OpenRTB implementation in question is Open Source or not.

The OpenRTB specification is on GitHub:

but it is unclear where implementations are, and which one is affected.

Overall, I'd like oss-security to be more focused on technical detail,
and less on CVEs.  I can tolerate postings that include both technical
detail and CVE IDs or requests (and if getting a CVE ID is why someone
posts, that's fine, as long as the very same message also brings
valuable detail to this community).  I won't tolerate CVE-only postings
lacking any detail at all (and referencing an external PDF without even
mentioning the software or technology in question is not good enough).


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.