Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.64.1103041208100.3265@faron.mitre.org>
Date: Fri, 4 Mar 2011 12:22:34 -0500 (EST)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: Solar Designer <solar@...nwall.com>
cc: oss-security@...ts.openwall.com,
        "Steven M. Christey" <coley@...-smtp.mitre.org>,
        Stefan Fritsch <sf@...itsch.de>, Jan Kaluza <jkaluza@...hat.com>,
        Florian Zumbiehl <florz@...rz.de>, Paul Martin <pm@...ian.org>,
        Petr Uzel <petr.uzel@...e.cz>, Thomas Biege <thomas@...e.de>
Subject: Re: CVE Request -- logrotate -- nine issues


On Fri, 4 Mar 2011, Solar Designer wrote:

> Again, as I wrote to Florian, maybe the expectations here are changing 
> over the years.

In general, that's what happens in CVE.  Part of this may be that as the 
more obvious/severe issues get eliminated, less-severe issues are then 
given more attention.  I try to watch out for edge cases that may 
"snowball" into large numbers of CVEs of limited utility - and you brought 
up one such example of a snowball issue with the recognition of 
technically-unsafe-but-commonly-accepted file behaviors of various Unix 
commands.  However, there is no clearly-defined line (software is too 
complex and dynamic for that) and risk tolerance differs widely between 
individuals.  The PHP interpreted gets hit with various issues related to 
sandbox escaping (or an application attacking itself), but in a hosting 
scenario (fairly common these days), it's a concern to some consumers.

As remote code execution vectors dry up (for certain classes of software), 
people look elsewhere.  As obvious remote vuln types get resolved, people 
look for other issues of uncertain exploitability that cause a crash. 
Alexander, you've had a bit of experience in suddenly turning "bugs" into 
"vulnerabilities" ;-)  The target is shifting over time and, by its 
nature, spreading a wider net.  As long as prioritization metrics like 
CVSS follow suit (e.g. more severities of 4 and 5, less 10's), this is a 
reasonable shift.

For CVE, there is no implied requirement for vendors to post advisories 
for evey issue that has a CVE assigned.  Vendors decide which issues are 
severe enough to directly notify their consumers about.  Granted, as the 
scope of CVE widens, this may increase the vendor workload.

Interesting discussion...

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.