oss-sec mailing list archives
Re: Discussion: information leakage from server and client software - CVE/hardening/other?
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 07 Oct 2014 17:57:25 -0600
On 07/10/14 03:56 PM, cve-assign () mitre org wrote:
So for example the http://boingboing.net/2014/10/07/adobe-ebook-drm-secretly-build.html article would indicate to me that this is CVE worthy under #4Currently not; Adobe has a statement quoted at: http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/ indicating that the information disclosure is intentional, and is (from their point of view) useful to them. This is just an example of a behavior that might also occur in an open-source product. The Adobe issue itself is off-topic for this list.
Then by that measure we could for example have challenged CVE-2011-4083 for example saying that it is useful to us. The same would go for any "unsanitized" log file submissions. I fear this is a slippery slope where vendors can effectively game their CVE numbers with "oh we meant to do that" which makes CVE much less useful =( -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Discussion: information leakage from server and client software - CVE/hardening/other? Kurt Seifried (Oct 07)
- Re: Discussion: information leakage from server and client software - CVE/hardening/other? cve-assign (Oct 07)
- Re: Discussion: information leakage from server and client software - CVE/hardening/other? cve-assign (Oct 07)
- Re: Discussion: information leakage from server and client software - CVE/hardening/other? Kurt Seifried (Oct 07)
- Re: Discussion: information leakage from server and client software - CVE/hardening/other? cve-assign (Oct 07)