[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATIONphase
- To: "Steven M. Christey" <coley@linus.mitre.org>
- Subject: Re: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATIONphase
- From: Gene Spafford <spaf@cs.purdue.edu>
- Date: Fri, 25 Jun 1999 22:25:50 -0500
- Cc: cve-review@linus.mitre.org
- In-Reply-To: <199906231740.NAA16955@basie.mitre.org>
- References: <199906231740.NAA16955@basie.mitre.org>
- Reply-To: spaf@cs.purdue.edu
A question that will come up again and again is whether the CVE lists:
configuration vulnerabilities
platform vulnerabilities
software flaws
attack types (exploits)
Or something completely different.
From my point of view, if the software involved harkens from a
different code base, then it merits a different listing. Thus, a
buffer overflow in mail servers should take multiple listings if it
affects different servers.
The attack may be the same. The underlying software flaw is the
same. But the CVE should reflect the configuration that is
vulnerable, and that may require multiple entries.
My $.02.
--spaf
- References:
- Re: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Re: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase
- Prev by Date: TEST - Dave, please just "reply"
- Next by Date: RE: Cluster 03: VEN-SUN
- Prev by thread: RE: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase
- Next by thread: RE: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase
- Index(es):
