Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 May 2018 01:17:36 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: Kurt Seifried <kseifried@...hat.com>,
 oss-security <oss-security@...ts.openwall.com>
Cc: Kees Cook <keescook@...omium.org>, "Serge E. Hallyn" <serge@...lyn.com>,
 Brad Spengler <spender@...ecurity.net>, PaX Team <pageexec@...email.hu>,
 James Morris <jmorris@...ei.org>,
 "Reshetova, Elena" <elena.reshetova@...el.com>
Subject: Re: Re: Linux Kernel Defence Map

On 05.04.2018 02:55, Kurt Seifried wrote:
> Please use a CWE identifier if one exists (https://cwe.mitre.org/), if one
> doesn't exist perhaps we should have one (email me and I'm happy to help get
> that ball rolling). Having a CWE not only helps categorize things correctly but
> gives us something to point developers at for resources around flaws and how
> they can be avoided/dealt with/etc. 

Hello Kurt,

I've just added the corresponding CWE IDs to the vulnerability classes showed on
the map: https://github.com/a13xp0p0v/linux-kernel-defence-map

It think there is only one vuln class that misses a CWE ID -- Stack Depth
Overflow. We currently have CWE-674 (Uncontrolled Recursion), but it doesn't
cover the Stack Clash case, which also refers to Stack Depth Overflow.

Best regards,
Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.