[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE program priorities

To: Art Manion <amanion@cert.org>
Subject: Re: CVE program priorities
From: Kurt Seifried <kseifried@redhat.com>
Date: Tue, 29 Dec 2015 21:54:49 -0700
Authentication-Results: spf=none (sender IP is 129.83.29.3)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=redhat.com;
CC: "Eugene H. Spafford" <gene.spafford@gmail.com>, cve-editorial-board-list<cve-editorial-board-list@lists.mitre.org>
Delivery-Date: Wed Dec 30 16:45:44 2015
In-Reply-To: <5682E56D.2030405@cert.org>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CY1PR09MB0873A71369CCDDE1AF00AB26C7E50@CY1PR09MB0873.namprd09.prod.outlook.com> <90DB6619-A293-44F1-A2DE-4379595EACD5@gmail.com> <5682E56D.2030405@cert.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
SpamDiagnosticOutput: 1:2

On Tue, Dec 29, 2015 at 12:56 PM, Art Manion <amanion@cert.org> wrote:

A few collected responses...

On 2015-12-22 15:22, Eugene H. Spafford wrote:

On 2015-12-22 14:28, Kurt Seifried wrote:
> I think we should really split the problem into:
>
> 1) assigning CVEs
>
> 2) the CVE database
>
> as #1 can happily exist with or without #2.

This is an important point. #1 is identification, this thing is called
CVE-X. Some amount of information (#2) is needed to perform #1 --
uniqueness determination at least. That amount could be reduced at the
cost of more duplicates or overall less short-term quality for #2.

So one note: most Open Source security issues have a CVE associated with either the code commit the created the vuln, the code commit that fixed the vuln, or a security report that typically at least identifies the vulnerable function and describes what happened (usually with a code snippet example). So at least from the Open Source side mostly what we care about is "what is the vulnerable code" because then anyone can check if they are vulnerable or not with relative ease and a high degree of certainty.

A perfect example of this being some vulns in giflib's giffix utility, we (Red Hat) ship a product which includes PhantomJS which in turn embeds giflib, so I crack the source rpm open to see what version of giffix is included in our PhantomJS and good news is, it doesn't include giffix, just the giflib library bits.

The current state of http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7555 is the "reserved" statement.

Now obviously the closed people are in a bit more of a difficult position, without a security report that lists reliable version affected/not affected information, or a reproducer to test it they are largely in the dark. But this problem currently exists because I doubt Mitre is actively verifying/testing/writing reproducers for closed source reports (if they are I'd love to know) but is instead consuming security reports from vendors/etc. like the rest of the world.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

References:
- CVE program priorities
  - From: "Boyle, Stephen V." <sboyle@mitre.org>
- Re: CVE program priorities
  - From: "Eugene H. Spafford" <gene.spafford@gmail.com>
- Re: CVE program priorities
  - From: Art Manion <amanion@cert.org>

Prev by Date: Re: CVE program priorities
Prev by thread: Re: CVE program priorities
Next by thread: Re: CVE program priorities
Index(es):
- Date
- Thread