oss-sec mailing list archives
Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix
From: cve-assign () mitre org
Date: Fri, 9 Nov 2012 11:03:29 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
It looks like some of these can be CVE merged, e.g. 14 and 15, 1 and 5, can you confirm that these should not be merged?
Thanks for constructing this comprehensive table, but please do not merge 14 and 15, or 1 and 5. CVE assignment by MITRE most often has merges when the available information suggests one of these two situations: A. Flaw types that have been used for many years and are thought to be well understood. At present, a large fraction of our merges are for XSS, SQL injection, CSRF, buffer overflows, integer overflows, use-after-free issues, and directory traversal. However, a merge can occur correctly for any flaw type. B. The multiple pieces of disclosed information are identical except for names and values. This occurs, for example, in disclosures of incorrect permissions for multiple files. Another example is bad passwords for multiple accounts. At this point in the history of CWE, a discloser's choice of the same CWE identifier for two different bugs might not be a strong indication that a CVE merge should occur. When a merge decision is unclear, it's almost always better not to merge. From the perspective of MITRE in producing CVE content, one primary reason is that a merge can make a CVE description difficult to understand. There are other reasons that are more important to other audiences. For example, some CVE consumers don't like situations in which a vendor publishes multiple disclosure documents that explain different aspects of the same CVE. Other CVE consumers don't like a shared name for two bugs that they will always discuss separately. In the current case, we don't want to debate whether the CWE choices are "right" or "wrong" but instead just briefly indicate that there may be multiple perspectives and thus the merge decisions are unclear. 14 and 15: One might argue that these are different because 14 is about algorithmic complexity but 15 isn't. 01 and 05: One might argue that these are different because 05 is about incomplete security declarations but 01 isn't. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (SunOS) iQEcBAEBAgAGBQJQnSazAAoJEGvefgSNfHMdP5MIAILyoTU/UROVI8Bm0gQTgHwC V1gV5jVjA0NZs5tjcAAodSHPQIHBkxelvJvxwzEsRw43BDgRINtdtbn3JFHXgrv/ iapc+uubGmik8d+jzxLU/XhiA4xhq9IvTsWIMOHpbq7Q6WNa63HR4E3/3IrI0wei KnINO4aVwSklNYz2wAugll07/GLHMeMRUfWbJOb4aVY9wiDFcsUW39bdmFaAfmv3 1QVCwL3n74HAIYQSZsg4O1JrVe5tIfae0aHpto+0ATK21rc1/09tZyhnblUsOMbd QJQ5EKYusDVIXoMq4Ay489AyLq8jlaHNkfeSpsw8O0sEM0I6ngTuCemzaSZP3mM= =QuVC -----END PGP SIGNATURE-----
Current thread:
- CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Jan Lieskovsky (Nov 07)
- Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Matthew Wilkes (Nov 07)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Kurt Seifried (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix cve-assign (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Matthew Wilkes (Nov 09)
- RE: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Christey, Steven M. (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Kurt Seifried (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Kurt Seifried (Nov 09)
- Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Matthew Wilkes (Nov 07)