Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue,  1 Mar 2016 16:16:55 -0500 (EST)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE's for SSLv2 support

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> by drawing a line in the sand of "SSLv2 is worth a CVE" we'd be much
> more easily able to track which products are using SSLv2 by default (and
> thus putting us at risk). From your web page "CVE is a dictionary of
> publicly known information security vulnerabilities and exposures."

If a vendor is announcing a security update that removes SSLv2
support, they can map to any CVE IDs associated with the SSLv2
protocol to indicate their motivation for that security update. For
example, they can list CVE-2016-0800 in their advisory. If anyone is
discussing the security properties of a product (even before such an
update is announced), they can mention that -- for example --
CVE-2016-0800 is applicable to that product. If a vendor really wants
to emphasize that they are removing SSLv2 support for multiple
unspecified reasons, then the CVE team at MITRE could assign a
separate CVE ID; however, it doesn't seem especially helpful to have
that widespread risk of overlapping IDs as a default position.

CVE-2016-0800 will be in the mentioned dictionary on the CVE web site
very soon, indicating that it is a vulnerability in the SSLv2 protocol
(the https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800
text will be used initially). Anyone building a vulnerability database
on top of CVE can feel free to populate that database's CVE-2016-0800
entry with an arbitrarily comprehensive product list, to help with the
"track which products are using SSLv2" goal that you mentioned. CVE is
not a vulnerability database, and generally has not offered
comprehensive product mappings for protocol-level vulnerabilities.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW1gXTAAoJEL54rhJi8gl5lWUP/RCc1976FrlaMFf/G8WG8b6Q
kI5NX2b0IzQhnfq8+ldTjsPWgy93zUG6WlHjcirtYif1yPoJqF8zKkkN8BR4P7vZ
1o1MJdK3DIXDD/eQ0wlzVkbaNIiy+S1FjTHLgzu33jACaBUwTNsOdjOO/td/NKdK
DaEu6ETe7K/+RytAT2mhCk9ma9mKm6v2tN4G+aqnlzLBEyELUYQuMJF58UR90RAX
UAKWeLfAisxOfZStpCPOfVauSFmtc8d2R74CjIsHCdwfUnUrIxYCNcxjZa4bnWdB
beW9CTTErBC/QofWrOx+/X7glC2V3PjcY0GKCriPiTs9ea8p2NErbNY0ECQnPyyF
NjHSXYlT5wOCNRF0hyd85hromRghGVSUK9jMOeBIFLFFZs0m2aApEBT2tJbIVnC+
WEF0mPMRKeFshrQ2mJTIkxIEdPAd0P7yW2Np8NirMuguUCEHGg3k1Mja+hPW1izV
8vt2Peo8vlHc8oeetLZ0+myK20wC1uX1zVMim3H+4Wy3ayFPQQ17ZOc2/IU0Eh4I
xS2XTdk8x9oQ9H6Gyjq7eYZrUfhDUA7GkOTcC1J10ZC54WLAX8bWbsLagh+yrrTK
pQjPr9wEgQFskuoUF+Ol8lL/kiFphVE0l3gJM5VpR3dvAld2714FPdNgzdn3Wc38
WObLmO4imwD5rZZmKyxI
=wfuM
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.