oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question regarding CVE applicability of missing HttpOnly flag

From: cve-assign () mitre org
Date: Thu, 26 Jun 2014 11:59:11 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It is closest to b. It would be very rare to assign a CVE for a design
choice by a system integrator. Suppose a new operating-system
distribution ships tomorrow without a virus scanner. Often the best
model for this would be a set of tasks that hasn't happened. For
example, the vendor hasn't yet investigated customer requirements for
what a virus scanner should do. The vendor hasn't performed the
release-engineering work of packaging a virus scanner. There are other
tasks as well. We don't think that CVE consumers are looking for us to
tag cases where a product lacks complete subsystem parity with all
possible competitors.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTrEKzAAoJEKllVAevmvmsQTUH/0cPHrYZstLGCetls924I5Hm
BWJHtpAKV9ryan8S7o4kxcxjYHs0z/dUM1GypO3+Gn69T4PIlW+t3Cfo/IE4IFn9
sidJS6w7+8vbF2yrs9RjHZ2ap+ieHNeRJdpeuyKHKeDOIpAnm6fH120dGRf6euvf
Zhlw7ZBO4UkjyhHh1Lb9zo4KGo3498sYW9wHm106P71/YVNGLudiHLJLGWPm9M7w
dWJIFYRctAuNKTZk7AeE2UFQCfficcS3cWH3dlrJD5hUXtmJjWMRzlu1EWVa6StI
4HFsXfgJMEspXzqlRzoLaja8I6a8tsTMTGG7ea7xcwsi8912BnjHpMSLZf4ct1U=
=30i7
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: