oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE's for SSLv2 support

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 1 Mar 2016 12:25:24 -0700
On Tue, Mar 1, 2016 at 12:12 PM, <cve-assign () mitre org> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


If a crypto library (e.g. OpenSSL, NSS) supports AND enables SSLv2 by
default should it receive a CVE?


There's no general answer to that question. CVE ID assignments are not
based on outsiders making guesses about the expectations of a product's
customers. For example, there might be a crypto library intended for
communication on isolated networks to high-value embedded devices that
support only SSLv2, and cannot and will not ever be updated.



I guess my confusion is: what would be the downside to assigning a CVE in
such a case, such a "false positive" would be easily explained ("yes we
support SSLv2, but only for use on closed network"[1]) but more to the
point by drawing a line in the sand of "SSLv2 is worth a CVE" we'd be much
more easily able to track which products are using SSLv2 by default (and
thus putting us at risk). From your web page "CVE is a dictionary of
publicly known information security vulnerabilities and exposures."

Does SSLv2 not pretty much exactly fit this definition now?

[1] which begs the question why they're even using SSLv2 but I digress =)


-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com
Previous By Date Next
Previous By Thread Next

Current thread: