oss-sec mailing list archives
Re: Re: CVE's for SSLv2 support
From: Steve Grubb <sgrubb () redhat com>
Date: Wed, 02 Mar 2016 08:53:51 -0500
On Tuesday, March 01, 2016 09:16:05 PM Kurt Seifried wrote:
On Tue, Mar 1, 2016 at 9:03 PM, Bob Beck <beck () openbsd org> wrote:While you certainly won't see me defending SSLv2 (I think we were the first to delete it outright) there are many other things that currently fall into that category.. I'm agreeing with your sentiment but if you are to consider usage of SSLv2 as CVE worthy, then you will need to do the same for SSH version 1, among other things. So while I certainly appreciate and even agree with your sentiment, it seems rather timed politically based on a decision made by one implementaiton of SSL/TLS that reflects a decision made by most other implementations long ago. So far from me to say what CVE's should and shouldn't be used for and issued for, but if this is the road we're going down can I please have permission to use your above quoted paragraph with s/SSLv2/SSH V1/g to request a CVE for *usage or support* of SSH version 1? You said it perfectly.I would be totally fine with that, SSH protocol v1 is long overdue for "needs to be taken out back and shot along with whoever enabled it by default". From OpenSSH's sshd_config: # The default requires explicit activation of protocol 1 I think that says it all.
I'm not entirely sure that CVE is the right vehicle to express the issue. Exploitation of this would be an attacker uses code to exploit a poor implementation or design problem. There are code weaknesses tracked by CWE, vulnerabilities in implementations tracked by CVE, and attacks tracked by CAPEC. They reference each other as follows CAPEC->CVE->CWE. Maybe a CWE somewhere in this category is what you are after: https://cwe.mitre.org/data/definitions/958.html -Steve
Current thread:
- Re: CVE's for SSLv2 support, (continued)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
- Re: Re: CVE's for SSLv2 support Tim (Mar 01)
- Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
- Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
- Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: Re: CVE's for SSLv2 support Steve Grubb (Mar 02)
- Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)