Re: CVE-2017-7269 and abandonware

• To: Kurt Seifried <kseifried@redhat.com>, "Coffin, Chris" <ccoffin@mitre.org>
• Subject: Re: CVE-2017-7269 and abandonware
• From: Art Manion <amanion@cert.org>
• Date: Thu, 30 Mar 2017 12:00:41 -0400
• Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
• Cc: "Landfield, Kent B" <kent.b.landfield@intel.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
• Delivery-date: Thu Mar 30 12:58:38 2017
• Dkim-filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu v2UG0hcS006923
• In-reply-to: <CANO=Ty0VuR9Y_MAOCMQWNDMSUxjZWh3O_mg18z8q_kXC2WM9FQ@mail.gmail.com>
• List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
• List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
• List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
• List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
• References: <61d7bb21-5632-b826-b289-661d0fd27209@cert.org> <8B39937B-A236-48D9-90D8-673A5EA26850@intel.com> <MWHPR09MB1485A8FC0D3BE96D12A38E3DA1340@MWHPR09MB1485.namprd09.prod.outlook.com> <CANO=Ty0VuR9Y_MAOCMQWNDMSUxjZWh3O_mg18z8q_kXC2WM9FQ@mail.gmail.com>
• Sender: <owner-cve-editorial-board-list@lists.mitre.org>
• Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
• Spamdiagnosticoutput: 1:2
• User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 2017-03-30 11:55, Kurt Seifried wrote:

> I know for a fact we have Linux that is 10 years out of support (EoL)
> and still in use, and if there was a flaw specific to that (and not
> newer versions) I would still CVE it so at least people are aware of 
> the
> flaws existence. And like G.I. Joe says "knowing is half the battle". 

Yes, cases like this should get CVE IDs.  My question was who assigns
them, so CNA rules/guidance.

> On Thu, Mar 30, 2017 at 8:48 AM, Coffin, Chris <ccoffin@mitre.org
> <mailto:ccoffin@mitre.org>> wrote:
> 
>     I agree with Kent's perspective on this.

Me too.

>     In this specific case, the discoverer contacted the CNA and 
> received
>     a case number. However, they were told that the 
> unsupported/obsolete
>     product was outside the scope of the CNA.

So the vendor CNA did not issue an ID, then the MITRE CNA did?

>     > Is the vendor CNA primarily responsible, if one exists?
> 
>     Yes. We should always give them the opportunity and redirect to 
> them
>     first if they exist. If they refuse, then a next available CNA 
> could
>     be contacted. One item for the Board discussion, as the backup CNA
>     how would we verify that this conversation took place.

Requestor explicitly asks vendor CNA for an ID, vendor explicitly says
no or does not respond in a reasonable period of time, requestor has
email evidence to support this exchange?

 - Art

• Follow-Ups:
  • RE: CVE-2017-7269 and abandonware
    • From: "Coffin, Chris" <ccoffin@mitre.org>

• References:
  • CVE-2017-7269 and abandonware
    • From: Art Manion <amanion@cert.org>
  • Re: CVE-2017-7269 and abandonware
    • From: "Landfield, Kent B" <kent.b.landfield@intel.com>
  • RE: CVE-2017-7269 and abandonware
    • From: "Coffin, Chris" <ccoffin@mitre.org>
  • Re: CVE-2017-7269 and abandonware
    • From: Kurt Seifried <kseifried@redhat.com>

• Prev by Date: Re: CVE-2017-7269 and abandonware
• Next by Date: RE: CVE-2017-7269 and abandonware
• Previous by thread: Re: CVE-2017-7269 and abandonware
• Next by thread: RE: CVE-2017-7269 and abandonware
• Index(es):
  • Date
  • Thread