[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplified Draft Counting Paper for CVE Editorial Board Review
- To: Kurt Seifried <kseifried@redhat.com>, Art Manion <amanion@cert.org>
- Subject: Re: Simplified Draft Counting Paper for CVE Editorial Board Review
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Date: Thu, 7 Jul 2016 10:08:51 -0400
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cerias.purdue.edu;mitre.org; dkim=none (message not signed) header.d=none;
- Cc: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Delivery-date: Thu Jul 7 15:21:39 2016
- In-reply-to: <CANO=Ty0Js+wfgWj73jr6fuy6xRhpmbP5TgJCDm93EpdSR-L-NQ@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CY1PR09MB08731B8AFA8A70B3E69F46FEC7860@CY1PR09MB0873.namprd09.prod.outlook.com> <56FC3FFD.7070905@cert.org> <CANO=Ty0Js+wfgWj73jr6fuy6xRhpmbP5TgJCDm93EpdSR-L-NQ@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
- Spamdiagnosticoutput: 1:2
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.1.0
The "incomplete fix == another CVE" mode of operation makes sense to me as the code base has changed, and presumably also the mistakes and assumptions made also changed, which is interesting academically and from a teaching perspective. The repeated attempts to fix something are interesting to me, and using different CVEs makes that easier to follow and examine. I believe this is fine and helpful. Additional coverage and linkage would be more the province of databases based on the CVE, or the CWE.
Pascal On 03/30/2016 08:09 PM, Kurt Seifried wrote:
One thing to keep in mind I think is that at a high level CVE stands for "Common Vulnerabilities and Exposures", so obviously it's used to track vulns, but on the other side CVE is also heavily used to track remediation, be it software updates, workarounds, compensating controls, whatever. A good example of this is the search results: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=incomplete+fix+for I'm not sure we need to cover it much beyond the "incomplete fix == another CVE", thoughts/comments? -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@redhat.com
- Next by Date: CVE Editorial Board teleconference summary - June 30, 2016
- Next by thread: CVE Editorial Board teleconference summary - June 30, 2016
- Index(es):
