[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: kwallet crypto misuse
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2014-01-03 2:07:00
Message-ID: 52C61B44.8010807 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/02/2014 12:45 PM, cve-assign@mitre.org wrote:
> Thanks very much for this additional information. At this point,
> it seems very unlikely that the "\0a\0b\0c\0d" issue will have an 
> additional CVE assignment. We were asking just because of the 
> possibility of a clear implementation error in which security was 
> weakened by using a "wrong" character width.
> 
>> Do you think MITRE or other folks should be recommending
>> pre-whitening the strings before encrypting them
> 
> It's possible that a group elsewhere at MITRE would work on 
> recommendations in that area or other areas. For purposes of the
> CVE assignments in this situation, that type of opportunity for
> security improvement wasn't being considered.

Hrmm, I assumed this would be handled a lot by getting things accepted
in CWE (http://cwe.mitre.org/), and once done that means we can start
assigning CVEs for them.

Stupid question but what is the process to propose a new CWE? I poked
around the site but can't find any hints.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJSxhtEAAoJEBYNRVNeJnmTxNUP/R6MJn9vNAUxmkzm3moE/OGm
8dE3bMwyIzrwgslG9kROTL44V1iWkHriGoV85hQsNYjzPa4+thy8fEs20aycJ/Tb
qgmyuR7juJ84OIzy6AH1xOTMGTfW9yuJqIaY1fvajkJfUrvSuGzuONjZ1XhJFOGn
kLUXRJotxg7cuKijyNxZlgBTzqVfJ+bxo3ZN3EtDg7RUClm7VWGMf3BaekeC3e3s
jOU4WESxn1s+WOCNMaNuyE/KkyxIeeALLJcdJ54BxrKCdJBiqfNSwbRaOe87f2Z+
tL5GW5KKjZ2ZblZrlrCR66kyBr6ce3j+INqXTL2AhJUBTHOAphI8X9dcb+5Q4+Db
0f/s89HhKc1tJuNnZt0mBVsvl1K04DjLzaOixmlxHi7iNQL1D+T/T3xMEqE5fKZj
n8D0QPNbwOhITEC4a08NytymuqX/JjXYrI1IAfC4ltt41fYmlYSB9N5BmnkZKS7M
HZdrwyhemNwjgur2ZCnNuqzl8S4wtqy4Y61XNCYptBK6T10aprz94rGxBxbdlm5S
zKQlNJaaobJGYsJhQp6xGXW8a5e3RVTqyAaF9Me47ODR8WcjY3j+AceYwHwcTtKt
BsPknQ6Xp92L06x01JmgpQz3TcuJMZwce6TtGSSn0xuOT0UVRnYvVTRMI5zLxc0x
o8lRHdYJVZaTdnbbD++h
=z7ST
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]