oss-sec mailing list archives
Re: CVE's for SSLv2 support
From: cve-assign () mitre org
Date: Tue, 1 Mar 2016 16:16:55 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
by drawing a line in the sand of "SSLv2 is worth a CVE" we'd be much more easily able to track which products are using SSLv2 by default (and thus putting us at risk). From your web page "CVE is a dictionary of publicly known information security vulnerabilities and exposures."
If a vendor is announcing a security update that removes SSLv2 support, they can map to any CVE IDs associated with the SSLv2 protocol to indicate their motivation for that security update. For example, they can list CVE-2016-0800 in their advisory. If anyone is discussing the security properties of a product (even before such an update is announced), they can mention that -- for example -- CVE-2016-0800 is applicable to that product. If a vendor really wants to emphasize that they are removing SSLv2 support for multiple unspecified reasons, then the CVE team at MITRE could assign a separate CVE ID; however, it doesn't seem especially helpful to have that widespread risk of overlapping IDs as a default position. CVE-2016-0800 will be in the mentioned dictionary on the CVE web site very soon, indicating that it is a vulnerability in the SSLv2 protocol (the https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800 text will be used initially). Anyone building a vulnerability database on top of CVE can feel free to populate that database's CVE-2016-0800 entry with an arbitrarily comprehensive product list, to help with the "track which products are using SSLv2" goal that you mentioned. CVE is not a vulnerability database, and generally has not offered comprehensive product mappings for protocol-level vulnerabilities. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJW1gXTAAoJEL54rhJi8gl5lWUP/RCc1976FrlaMFf/G8WG8b6Q kI5NX2b0IzQhnfq8+ldTjsPWgy93zUG6WlHjcirtYif1yPoJqF8zKkkN8BR4P7vZ 1o1MJdK3DIXDD/eQ0wlzVkbaNIiy+S1FjTHLgzu33jACaBUwTNsOdjOO/td/NKdK DaEu6ETe7K/+RytAT2mhCk9ma9mKm6v2tN4G+aqnlzLBEyELUYQuMJF58UR90RAX UAKWeLfAisxOfZStpCPOfVauSFmtc8d2R74CjIsHCdwfUnUrIxYCNcxjZa4bnWdB beW9CTTErBC/QofWrOx+/X7glC2V3PjcY0GKCriPiTs9ea8p2NErbNY0ECQnPyyF NjHSXYlT5wOCNRF0hyd85hromRghGVSUK9jMOeBIFLFFZs0m2aApEBT2tJbIVnC+ WEF0mPMRKeFshrQ2mJTIkxIEdPAd0P7yW2Np8NirMuguUCEHGg3k1Mja+hPW1izV 8vt2Peo8vlHc8oeetLZ0+myK20wC1uX1zVMim3H+4Wy3ayFPQQ17ZOc2/IU0Eh4I xS2XTdk8x9oQ9H6Gyjq7eYZrUfhDUA7GkOTcC1J10ZC54WLAX8bWbsLagh+yrrTK pQjPr9wEgQFskuoUF+Ol8lL/kiFphVE0l3gJM5VpR3dvAld2714FPdNgzdn3Wc38 WObLmO4imwD5rZZmKyxI =wfuM -----END PGP SIGNATURE-----
Current thread:
- CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support Loganaden Velvindron (Mar 01)
- Re: CVE's for SSLv2 support Grant Ridder (Mar 01)
- Re: CVE's for SSLv2 support Stuart Henderson (Mar 01)
- Re: CVE's for SSLv2 support gremlin (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: Re: CVE's for SSLv2 support Tim (Mar 01)
- Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
- Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
- Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: Re: CVE's for SSLv2 support Steve Grubb (Mar 02)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support Loganaden Velvindron (Mar 01)