oss-sec mailing list archives
Re: Question regarding CVE applicability of missing HttpOnly flag
From: cve-assign () mitre org
Date: Fri, 27 Jun 2014 16:03:43 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I suppose maybe there is a CWE for not having a virus scanner, which makes sense as that could be considered an overall system weakness.
Neither CVE nor CWE attempts to cover the general topic of system integration, i.e., questions such as "given the composition and role of this entire system, is it unreasonable to omit a virus scanner?" In practice, both CVE and CWE often tend to be about questions that may come up when considering somewhere around one line of code or one file of code. (This is just an observational statement, not an attempt to redefine why CVE and CWE exist.) Typical audiences may include (among others) developers who need to write a line of code safely or system administrators who need to patch a faulty line of code. This doesn't mean that there's any objection to someone taking the position that lack of a virus scanner is the most serious security concern that they see in an entire system. This is a valid perspective but is outside of the problem spaces in which CVE and CWE have been operating. Even if everyone were looking at "whether or not a flaw is a flaw" decisions in precisely the same way, a conclusion of "yes, this system would really benefit from a virus scanner" leaves open the question of the best place to capture that information. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTrcyXAAoJEKllVAevmvmsAiUIAKTfI78BYVzg2+8doGaOh3RC smEBRzI2JcdGtbiCeUr+QLcocNKfLKhTYVlre/1c+iF/INbiTn0r/2c3sWLBcrPb X2+CoSY9mRSSV8mDS3BB5xkpoCCedJJkjSY4WegaRKh6p4WLQVo2HhzC33aH1Sgi ertJ35l5kzqSPuLutZDLWONZPsjCYfyMonm9pXE/p7afpsMSE8ic0J5Fh/HC219N mPVE84q9ibFvSxAZH0zqlodBZjHDWRtZAg//xMxSmOejt3POMrZNFC/WjCj+2MVC k50X1hEus/DgQZTOn8rJFfl9FZ7wngGDJTtXQnkoAXI0bbo5DZeOz/CzfYO8P7k= =/jC4 -----END PGP SIGNATURE-----
Current thread:
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag, (continued)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Murray McAllister (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Henri Salo (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Murray McAllister (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Vladimir '3APA3A' Dubrovin (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Florian Weimer (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Jamie Strandboge (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 30)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 27)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)