[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2017-7269 and abandonware

To: Kurt Seifried <kseifried@redhat.com>, "Coffin, Chris" <ccoffin@mitre.org>
Subject: Re: CVE-2017-7269 and abandonware
From: Art Manion <amanion@cert.org>
Date: Thu, 30 Mar 2017 12:00:41 -0400
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
Cc: "Landfield, Kent B" <kent.b.landfield@intel.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Thu Mar 30 12:58:38 2017
Dkim-filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu v2UG0hcS006923
In-reply-to: <CANO=Ty0VuR9Y_MAOCMQWNDMSUxjZWh3O_mg18z8q_kXC2WM9FQ@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <61d7bb21-5632-b826-b289-661d0fd27209@cert.org> <8B39937B-A236-48D9-90D8-673A5EA26850@intel.com> <MWHPR09MB1485A8FC0D3BE96D12A38E3DA1340@MWHPR09MB1485.namprd09.prod.outlook.com> <CANO=Ty0VuR9Y_MAOCMQWNDMSUxjZWh3O_mg18z8q_kXC2WM9FQ@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 2017-03-30 11:55, Kurt Seifried wrote:

> I know for a fact we have Linux that is 10 years out of support (EoL)
> and still in use, and if there was a flaw specific to that (and not
> newer versions) I would still CVE it so at least people are aware of 
> the
> flaws existence. And like G.I. Joe says "knowing is half the battle". 

Yes, cases like this should get CVE IDs.  My question was who assigns
them, so CNA rules/guidance.

> On Thu, Mar 30, 2017 at 8:48 AM, Coffin, Chris <ccoffin@mitre.org
> <mailto:ccoffin@mitre.org>> wrote:
> 
>     I agree with Kent's perspective on this.

Me too.

>     In this specific case, the discoverer contacted the CNA and 
> received
>     a case number. However, they were told that the 
> unsupported/obsolete
>     product was outside the scope of the CNA.

So the vendor CNA did not issue an ID, then the MITRE CNA did?

>     > Is the vendor CNA primarily responsible, if one exists?
> 
>     Yes. We should always give them the opportunity and redirect to 
> them
>     first if they exist. If they refuse, then a next available CNA 
> could
>     be contacted. One item for the Board discussion, as the backup CNA
>     how would we verify that this conversation took place.

Requestor explicitly asks vendor CNA for an ID, vendor explicitly says
no or does not respond in a reasonable period of time, requestor has
email evidence to support this exchange?

 - Art

Follow-Ups:
- RE: CVE-2017-7269 and abandonware
  - From: "Coffin, Chris" <ccoffin@mitre.org>

References:
- CVE-2017-7269 and abandonware
  - From: Art Manion <amanion@cert.org>
- Re: CVE-2017-7269 and abandonware
  - From: "Landfield, Kent B" <kent.b.landfield@intel.com>
- RE: CVE-2017-7269 and abandonware
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: CVE-2017-7269 and abandonware
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: CVE-2017-7269 and abandonware
Next by Date: RE: CVE-2017-7269 and abandonware
Previous by thread: Re: CVE-2017-7269 and abandonware
Next by thread: RE: CVE-2017-7269 and abandonware
Index(es):
- Date
- Thread