![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
Re: Strange CVE situation (at least one ID should come of this)
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Wed, 31 Oct 2012 10:27:51 -0400 (EDT)
On Tue, 30 Oct 2012, Kurt Seifried wrote:
On 10/30/2012 11:34 AM, Steven M. Christey wrote:>To have a CVE for "don't use this" is not consistent with long-existing practice. I don't recall ever intentionally assigning a CVE for such a thing - after all, CVE is about vulnerabilities, and "don't use this" is awfully vague.True, but we've already gone down that road, e.g.: CVE-2012-2400 Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors.
That's not the same as a generic "don't use this." For this CVE-2012-2400, there is a specific advisory from a specific vendor telling customers to patch a vulnerability. It's "unspecified" all over the place due to lack of details, so risk analysis is problematic, but it's a statement of some kind of vulnerability in a specifc version by an authoritative source.
Oracle and HP publish advisories like this on a regular basis.
Deployment of risky software is effectively a configuration or asset management issue, which is well outside the scope of CVE. (Maybe it's more like a Common Configuration Enumeration (CCE) issue.)If anything I think it would fit into CPE
CPE is neutral on security - it's just about identifying software packages and versions. One main use is in vulnerability management, but it's more general than that.
- Steve
Current thread:
- Strange CVE situation (at least one ID should come of this) Josh Bressers (Oct 26)
- Re: Strange CVE situation (at least one ID should come of this) Kurt Seifried (Oct 29)
- Re: Strange CVE situation (at least one ID should come of this) Seth Arnold (Oct 29)
- Re: Strange CVE situation (at least one ID should come of this) Kurt Seifried (Oct 29)
- Re: Strange CVE situation (at least one ID should come of this) Steven M. Christey (Oct 30)
- Re: Strange CVE situation (at least one ID should come of this) Henri Salo (Oct 30)
- Re: Strange CVE situation (at least one ID should come of this) Kurt Seifried (Oct 30)
- Re: [security] [oss-security] Strange CVE situation (at least one ID should come of this) Greg Knaddison (Oct 31)
- Re: Strange CVE situation (at least one ID should come of this) Seth Arnold (Oct 29)
- Re: Strange CVE situation (at least one ID should come of this) Kurt Seifried (Oct 30)
- Re: Strange CVE situation (at least one ID should come of this) Steven M. Christey (Oct 31)
- Re: Strange CVE situation (at least one ID should come of this) Josh Bressers (Nov 02)
- Re: Strange CVE situation (at least one ID should come of this) cve-assign (Nov 02)
- Re: Strange CVE situation (at least one ID should come of this) Kurt Seifried (Oct 29)
- Re: Strange CVE situation (at least one ID should come of this) Vincent Danen (Dec 05)
- Re: Strange CVE situation (at least one ID should come of this) Josh Bressers (Dec 05)
- Re: Strange CVE situation (at least one ID should come of this) Vincent Danen (Dec 05)