oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE for Kali Linux

From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Sun, 22 Mar 2015 12:54:57 -0400 (EDT)
On Sun, 22 Mar 2015 09:49:12 -0600, Kurt Seifried <kseifried () redhat com> wrote:

I meant from the CVE assignment perspective. This was back in 1999, it's
only recently (e.g. the last 6 months or so?) that we've moved the
security bar to:

downloads of updates via HTTP with no other protection == CVE


On 2015-02-26 I reported to Cygwin that they had a similar man-in-the-middle issue.
The Cygwin package manager (which downloaded all other packages) was unprotected
and downloaded using http (as http://cygwin.com/setup-x86.exe or http://cygwin.com/setup-x86_64.exe).
They changed it to load with HTTPS, and later added HTTP Strict Transport Security (HSTS).

However, since they were the only site that could (realistically) correct it, I didn't
request a CVE.  (FYI, they quickly repaired that problem once they received the report.)

Should I have requested a CVE?

--- David A. Wheeler
Previous By Date Next
Previous By Thread Next

Current thread: