[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: epiphany not checking ssl certs
From: Josh Bressers <bressers () redhat ! com>
Date: 2010-09-21 14:55:17
Message-ID: 112978625.203461285080917580.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
Please use CVE-2010-3312 for this.
Thanks.
--
JB
----- "Michael Gilbert" <michael.s.gilbert@gmail.com> wrote:
> On Fri, 17 Sep 2010 14:45:28 -0400 (EDT), Steven M. Christey wrote:
> >
> > If an application does not advertise a security feature, then in
> general
> > we will not give a CVE because of its absence of the feature (I
> don't want
> > to give out 50,000 CVEs for every protocol that does cleartext
> > transmission... or uses DES... etc.) Similarly, we generally avoid
>
> > assigning CVEs to "defense in depth" fixes, although the line
> between
> > "vulnerability" and "defense in depth" can get fuzzy.
> >
> > The http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564690#5 title
> says
> > "Does not longer check certificates" which could be interpreted to
> mean
> > that it used to check certs, and now it doesn't. If that's the
> case, then
> > it makes sense to assign a CVE.
>
> The feature was lost in the transition from gecko to webkit (or more
> accurately libsoup for certificate support). I think it makes sense
> to
> assign an id since it does involve the loss of an expected security
> feature.
>
> Mike
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic