|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
* Steven M. Christey (coley@LINUS.MITRE.ORG) [000613 16:17]: > Bill Fithen said: > > >> *4) If P1 and P2 are not fixed by the same patch or set of patches, > >> then they must remain SPLIT. > > > > >I think this rule is inappropriate for CVE's purposes... Vendors > >package software according to the rules of their business, not > >according to the technical content of the software... > >most of the ones following this one are focused on the nature of the > >vulnerability and the related software engineering practice that > >produced it. This rule is not. > > So some of these rules, while moving away from looking at the bug > itself, are designed to find "supporting evidence" that will help us > to make a reasonably explainable (and repeatable) decision in the > absence of good facts. That said, the fact that patches are > implemented differently might require at least a reordering of the > "evidence" rules. While sympathetic I agree with Bill. A patch really provides no strong "supporting evidence" that two vulnerabilities are the same except that the vendor decided to fix them at the same time. > - Steve -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
|
||||
