Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Sat, 08 Mar 2008 16:12:15 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,  tss@....fi
Subject: Re: CVE? CCE? dovecot setting is often used incorrectly

* Jonathan Smith:

> I've been trying to figure out what to do with this one. I'm not
> inclined to believe it deserves a CVE given that it is configuration
> (either dovecot config or filesystem permissions configuration). I read
> once on mitre.org about "Common Configuration Enumeration" aka "CCE"
> issues, but I've never seen them actually used. Maybe this is a good
> candidate?

Debian will release a security update with a patch, so we need a CVE
anyway.  We might use one from our pool (after all, it's an interplay
between our default MTA and Dovecot, and may not be very widespread), or
we might reference a generic one.  I don't know which one is better.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ