oss-sec mailing list archives
Re: Re: Question regarding CVE applicability of missing HttpOnly flag
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 26 Jun 2014 10:00:33 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 26/06/14 05:45 AM, Jamie Strandboge wrote:
Based on this email and the one this is in response to, I find this comment unclear. Is MITRE saying that: a) lack of implementing SELinux, AppArmor, virus scanner, firewall, <insert hardening software here> does not justify a CVE because of the complexity? b) lack of implementing SELinux, AppArmor, virus scanner, firewall, <insert hardening software here> does not justify a CVE and also cannot be considered an implementation error because of the complexity? c) implementing SELinux, AppArmor, virus scanner, firewall, and/or <insert hardening software here> is not worth it because the added complexity intrinsically makes the system less secure? d) something else? Thanks
So one comment on this, replace the above with "DAC" (http://en.wikipedia.org/wiki/Discretionary_access_control) and I bet we'd hand it a CVE =). Security lines move, I would expect most modern system of any type (Windows, Linux, router, maybe not my bathroom scale that talks wifi... yet) to have some sort of firewall enabled by default and not simply leave everything exposed to the world. So in that case not having a fire enabled by default would definitely violate the principle of least surprise and maybe even qualify for a CVE. - -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTrEOhAAoJEBYNRVNeJnmTqYoP/jcw48aEYnV1G974RVAg/FcJ DQ8RCTvm7zUEXAI4pS+is/2iQ+TdAZnuPQzLSA9fVme3cRIgu5Au2kBT//UTCcd2 v6TCwtjBWr7qnt1MeFwa2+6c8QOoX3Vx/bH7b0mfN2M4g3t273dnvrdWLioeLt3J LrxgtqYnL+ohXitVZRwKOqG9WFaKRyuT0ukhEgUgzVsCKI0wFX2t1W2fvWc2e0iL PPpItcO5zMVGe3JVYM91hGc/d5pwr5qd9ip6tB+6X30XdVArFp0Lp3uzP2qRX53z SA4uNdkUTdMKnLG3QMU42GpC2Wp2PK4a8r40libWgJbaIlR1zseiUbjcg9gz1/b+ w/RkNWE3YQ3fyKLiQh1iXU3VnIoqNrOaXP6iHLYTot7rKJKx9p8PQu8wyDETaRcs 5+Xy8ouOgVTvLaR6sPGgMaP59QOeX2NyX2HDok2R6I0Gq+jg3Avyp9OowkxnM8AZ byzyf8KrUqeW4nY5tHT4b6tUJbrEuQ2Z4AL2ApI/N3sagMkQLvnyD3AB/gkVcwxI UroTxEnhmHaSiMYa1+Eeqh7/+vNsQddFMH1j/MavPtvMOwz6/itLOZs7A/i4YMWt surAlpJP5llL3gdSZQ4j5oSmWS/1CmkqKAEeObbhwqJ6FG+vRRIRGKRL6h9LNLHG 2KHAU//lPwePVp/+qvsU =yV4Z -----END PGP SIGNATURE-----
Current thread:
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag, (continued)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Florian Weimer (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Jamie Strandboge (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 30)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 27)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Florian Weimer (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)