oss-sec mailing list archives

Re: CVE's for SSLv2 support

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 1 Mar 2016 11:53:37 -0700

Ok let me simplify:

If a crypto library (e.g. OpenSSL, NSS) supports AND enables SSLv2 by
default should it receive a CVE? Essentially we'd be saying "SSLv2 is so
bad, that supporting/enabling it by default in a crypto library is CVE
worthy" (essentially under the CVE assignment for "product makes a security
claim that it fails to do properly").

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com

Current thread:

CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support Loganaden Velvindron (Mar 01)
  - Re: CVE's for SSLv2 support Grant Ridder (Mar 01)
  - Re: CVE's for SSLv2 support Stuart Henderson (Mar 01)
- Re: CVE's for SSLv2 support gremlin (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
  - Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
    - Re: CVE's for SSLv2 support cve-assign (Mar 01)
    - Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
    - Re: CVE's for SSLv2 support cve-assign (Mar 01)
    - Re: Re: CVE's for SSLv2 support Tim (Mar 01)
    - Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
    - Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
    - Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
    - Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
    - Re: Re: CVE's for SSLv2 support Steve Grubb (Mar 02)
  - Re: Re: CVE's for SSLv2 support Seth Arnold (Mar 01)