oss-sec mailing list archives
Re: CVE's for SSLv2 support
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 1 Mar 2016 11:53:37 -0700
Ok let me simplify: If a crypto library (e.g. OpenSSL, NSS) supports AND enables SSLv2 by default should it receive a CVE? Essentially we'd be saying "SSLv2 is so bad, that supporting/enabling it by default in a crypto library is CVE worthy" (essentially under the CVE assignment for "product makes a security claim that it fails to do properly"). -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support Loganaden Velvindron (Mar 01)
- Re: CVE's for SSLv2 support Grant Ridder (Mar 01)
- Re: CVE's for SSLv2 support Stuart Henderson (Mar 01)
- Re: CVE's for SSLv2 support gremlin (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: Re: CVE's for SSLv2 support Tim (Mar 01)
- Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
- Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
- Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: Re: CVE's for SSLv2 support Steve Grubb (Mar 02)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support Loganaden Velvindron (Mar 01)