[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: epiphany not checking ssl certs
From:       Josh Bressers <bressers () redhat ! com>
Date:       2010-09-21 14:55:17
Message-ID: 112978625.203461285080917580.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Please use CVE-2010-3312 for this.

Thanks.

-- 
    JB


----- "Michael Gilbert" <michael.s.gilbert@gmail.com> wrote:

> On Fri, 17 Sep 2010 14:45:28 -0400 (EDT), Steven M. Christey wrote:
> > 
> > If an application does not advertise a security feature, then in
> general 
> > we will not give a CVE because of its absence of the feature (I
> don't want 
> > to give out 50,000 CVEs for every protocol that does cleartext 
> > transmission... or uses DES... etc.)  Similarly, we generally avoid
> 
> > assigning CVEs to "defense in depth" fixes, although the line
> between 
> > "vulnerability" and "defense in depth" can get fuzzy.
> > 
> > The http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564690#5 title
> says 
> > "Does not longer check certificates" which could be interpreted to
> mean 
> > that it used to check certs, and now it doesn't.  If that's the
> case, then 
> > it makes sense to assign a CVE.
> 
> The feature was lost in the transition from gecko to webkit (or more
> accurately libsoup for certificate support). I think it makes sense
> to
> assign an id since it does involve the loss of an expected security
> feature.
> 
> Mike
[prev in list] [next in list] [prev in thread] [next in thread]