[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Strange CVE situation (at least one ID should come of this)
From: "Steven M. Christey" <coley () rcf-smtp ! mitre ! org>
Date: 2012-10-31 14:27:51
Message-ID: Pine.GSO.4.64.1210311020220.12365 () faron ! mitre ! org
[Download RAW message or body]
On Tue, 30 Oct 2012, Kurt Seifried wrote:
>
> On 10/30/2012 11:34 AM, Steven M. Christey wrote:>
>>
>> To have a CVE for "don't use this" is not consistent with
>> long-existing practice. I don't recall ever intentionally
>> assigning a CVE for such a thing - after all, CVE is about
>> vulnerabilities, and "don't use this" is awfully vague.
>
> True, but we've already gone down that road, e.g.:
>
> CVE-2012-2400 Unspecified vulnerability in
> wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown
> impact and attack vectors.
That's not the same as a generic "don't use this." For this
CVE-2012-2400, there is a specific advisory from a specific vendor telling
customers to patch a vulnerability. It's "unspecified" all over the place
due to lack of details, so risk analysis is problematic, but it's a
statement of some kind of vulnerability in a specifc version by an
authoritative source.
Oracle and HP publish advisories like this on a regular basis.
>> Deployment of risky software is effectively a configuration or
>> asset management issue, which is well outside the scope of CVE.
>> (Maybe it's more like a Common Configuration Enumeration (CCE)
>> issue.)
>
> If anything I think it would fit into CPE
CPE is neutral on security - it's just about identifying software packages
and versions. One main use is in vulnerability management, but it's more
general than that.
- Steve
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic