[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvas-development
Subject:    Re: [Openvas-devel] [oss-security] CVE Request -- openvas-scanner
From:       "Jan-Oliver Wagner" <Jan-Oliver.Wagner () greenbone ! net>
Date:       2011-09-13 20:55:26
Message-ID: 201109132255.26833.Jan-Oliver.Wagner () greenbone ! net
[Download RAW message or body]

Hi,

I realize I should have spend more words to explain my concern.

Of course I am aware of the way CVE works and that it is valid
to report about deprecated releases.

I was more wondering that no request/reviews seem to have happened
during the process beyond the actual vulnerability reporting process.
Personally I do see an unbalance here that could open a door for abuse.
However, this discussion belongs into other channels as it is unrelated
to OpenVAS.

> Mitre does not provide CVE names only for up-to-date software. CVE names are
> asigned to define unique vulnerabilities which occur in any piece of software
> (obsolete or up-to-date upstream, it doesn't matter). 
> 
> So yes, you might be able to get CVE names for old software versions if you
> want to. It is actually up to the assigner of CVE names (in most cases
> MITRE, but they also provide "ranges" for producers of software for them to
> handle as they see fit) to either provide (or not) a name.
> 
> In any case, since Fedora provided OpenVAS 2.x at least in the past and
> Debian does so to it makes sense to have a common CVE name to use in
> security advisories sent by distributions and related  to this vulnerability.

-- 
Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-devel mailing list
Openvas-devel@wald.intevation.org
http://lists.wald.intevation.org/mailman/listinfo/openvas-devel

[prev in list] [next in list] [prev in thread] [next in thread]