[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Strange CVE situation (at least one ID should come of this)
From:       "Steven M. Christey" <coley () rcf-smtp ! mitre ! org>
Date:       2012-10-31 14:27:51
Message-ID: Pine.GSO.4.64.1210311020220.12365 () faron ! mitre ! org
[Download RAW message or body]


On Tue, 30 Oct 2012, Kurt Seifried wrote:

>
> On 10/30/2012 11:34 AM, Steven M. Christey wrote:>
>>
>> To have a CVE for "don't use this" is not consistent with
>> long-existing practice.  I don't recall ever intentionally
>> assigning a CVE for such a thing - after all, CVE is about
>> vulnerabilities, and "don't use this" is awfully vague.
>
> True, but we've already gone down that road, e.g.:
>
> CVE-2012-2400 	Unspecified vulnerability in
> wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown
> impact and attack vectors.

That's not the same as a generic "don't use this."  For this 
CVE-2012-2400, there is a specific advisory from a specific vendor telling 
customers to patch a vulnerability.  It's "unspecified" all over the place 
due to lack of details, so risk analysis is problematic, but it's a 
statement of some kind of vulnerability in a specifc version by an 
authoritative source.

Oracle and HP publish advisories like this on a regular basis.

>> Deployment of risky software is effectively a configuration or
>> asset management issue, which is well outside the scope of CVE.
>> (Maybe it's more like a Common Configuration Enumeration (CCE)
>> issue.)
>
> If anything I think it would fit into CPE

CPE is neutral on security - it's just about identifying software packages 
and versions.  One main use is in vulnerability management, but it's more 
general than that.

- Steve
[prev in list] [next in list] [prev in thread] [next in thread]