[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATIONphase

A question that will come up again and again is whether the CVE lists:
    configuration vulnerabilities
    platform vulnerabilities
    software flaws
    attack types (exploits)

Or something completely different.

 From my point of view, if the software involved harkens from a 
different code base, then it merits a different listing.   Thus, a 
buffer overflow in mail servers should take multiple listings if it 
affects different servers.

The attack may be the same.   The underlying software flaw is the 
same.  But the CVE should reflect the configuration that is 
vulnerable, and that may require multiple entries.

My $.02.


Page Last Updated or Reviewed: May 22, 2007