|
Message-ID: <Pine.GSO.4.64.1103041208100.3265@faron.mitre.org> Date: Fri, 4 Mar 2011 12:22:34 -0500 (EST) From: "Steven M. Christey" <coley@...-smtp.mitre.org> To: Solar Designer <solar@...nwall.com> cc: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...-smtp.mitre.org>, Stefan Fritsch <sf@...itsch.de>, Jan Kaluza <jkaluza@...hat.com>, Florian Zumbiehl <florz@...rz.de>, Paul Martin <pm@...ian.org>, Petr Uzel <petr.uzel@...e.cz>, Thomas Biege <thomas@...e.de> Subject: Re: CVE Request -- logrotate -- nine issues On Fri, 4 Mar 2011, Solar Designer wrote: > Again, as I wrote to Florian, maybe the expectations here are changing > over the years. In general, that's what happens in CVE. Part of this may be that as the more obvious/severe issues get eliminated, less-severe issues are then given more attention. I try to watch out for edge cases that may "snowball" into large numbers of CVEs of limited utility - and you brought up one such example of a snowball issue with the recognition of technically-unsafe-but-commonly-accepted file behaviors of various Unix commands. However, there is no clearly-defined line (software is too complex and dynamic for that) and risk tolerance differs widely between individuals. The PHP interpreted gets hit with various issues related to sandbox escaping (or an application attacking itself), but in a hosting scenario (fairly common these days), it's a concern to some consumers. As remote code execution vectors dry up (for certain classes of software), people look elsewhere. As obvious remote vuln types get resolved, people look for other issues of uncertain exploitability that cause a crash. Alexander, you've had a bit of experience in suddenly turning "bugs" into "vulnerabilities" ;-) The target is shifting over time and, by its nature, spreading a wider net. As long as prioritization metrics like CVSS follow suit (e.g. more severities of 4 and 5, less 10's), this is a reasonable shift. For CVE, there is no implied requirement for vendors to post advisories for evey issue that has a CVE assigned. Vendors decide which issues are severe enough to directly notify their consumers about. Granted, as the scope of CVE widens, this may increase the vendor workload. Interesting discussion... - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.