oss-sec mailing list archives
Re: CVE for Kali Linux
From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Sun, 22 Mar 2015 12:54:57 -0400 (EDT)
On Sun, 22 Mar 2015 09:49:12 -0600, Kurt Seifried <kseifried () redhat com> wrote:
I meant from the CVE assignment perspective. This was back in 1999, it's only recently (e.g. the last 6 months or so?) that we've moved the security bar to: downloads of updates via HTTP with no other protection == CVE
On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue. The Cygwin package manager (which downloaded all other packages) was unprotected and downloaded using http (as http://cygwin.com/setup-x86.exe or http://cygwin.com/setup-x86_64.exe). They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS). However, since they were the only site that could (realistically) correct it, I didn't request a CVE. (FYI, they quickly repaired that problem once they received the report.) Should I have requested a CVE? --- David A. Wheeler
Current thread:
- Re: CVE for Kali Linux, (continued)
- Re: CVE for Kali Linux Daniel Micay (Mar 21)
- Re: CVE for Kali Linux Florian Weimer (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Amos Jeffries (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Michael Samuel (Mar 21)
- Re: CVE for Kali Linux Florian Weimer (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Solar Designer (Mar 22)
- Re: CVE for Kali Linux Kurt Seifried (Mar 22)
- Re: CVE for Kali Linux Donald Stufft (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Kristian Fiskerstrand (Mar 22)
- Re: CVE for Kali Linux Jeremy Stanley (Mar 22)
- Re: CVE for Kali Linux David A. Wheeler (Mar 22)
- Re: CVE for Kali Linux Daniel Micay (Mar 22)
- Re: CVE for Kali Linux Stephen Kitt (Mar 22)