[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Should be a CVE?



On 2017-09-12 15:19, Waltermire, David A. (Fed) wrote:
> Looking at the following, it appears that a CVE was issued for the 
> potential that someone might upgrade software to a vulnerable 
> version, which has another CVE. I don't think this should qualify as 
> a CVE, given the actual vulnerability already has one. 
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5698
> 
> Should this CVE be rejected?

I think it should be rejected.

Version A1 has vulnerability V1, version B1 has vulnerability V2, V1 
and V2 are documented (have CVE IDs), the ability to change from V1 to 
V2 does not warrant a CVE ID.

My ability to install/upgrade/downgrade to any software versions does 
not get a CVE ID, even if what I'm moving to has known CVD IDs.

Intel is welcome to release an advisory, upgrading and being 
newly/differently vulnerable is unexpected, which goes to the core of 
many vulnerability/security issues.  But no CVE ID.

 - Art


Page Last Updated or Reviewed: September 12, 2017