Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 15 Nov 2010 16:58:27 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Marc Deslauriers <marc.deslauriers@...onical.com>
cc: oss-security@...ts.openwall.com, Bill Janssen <bill.janssen@...il.com>,
        Andreas Hasenack <ahasenack@...ra.com.br>,
        Mads Kiilerich <mads@...lerich.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- Mercurial --Doesn't verify subject
 Common Name properly


Ouch, this is painful for a number of reasons.

Maybe Python "should" get the CVE, but the decision to push the issue to 
application developers means that those developers will each have to 
provide fixes, and software consumers will have to track these related 
vulns at the application level.

(One could make the same argument about fundamental design flaws in 
standards-based protocols, for which CVE generally assigns a single 
identifier, but those issues generally feel "different" to me.  Quite 
logical, I know...)

Anyway, I think we need to assign separate CVEs for each affected product 
as an instance of "an implementation not working around security-relevant 
design limitations of APIs" (which is consistent with the approach that 
CVE has taken with respect to the DLL hijacking / insecure library loading 
issues of the past couple months.)

I've been tempted to start assigning a single CVE to design limitations 
such as this Python certificate issue, and (where needed) independent CVEs 
for affected implementations, but I'm not feeling adventurous enough yet. 
it kind of goes against the idea where each vuln has only one CVE 
associated with it.

So - use CVE-2010-4237 for the issue in Mercurial, and feel free to 
consult with me privately for the other issues if you wish.

- Steve



On Sun, 14 Nov 2010, Marc Deslauriers wrote:

> On Mon, 2010-10-11 at 15:48 -0400, Josh Bressers wrote:
>> Steve,
>>
>> Can I defer this one to MITRE? My initial thought is that python should get
>> the ID, but they seem to want to push it up to the application developers,
>> but they also added some functionality in
>> http://svn.python.org/view?view=rev&revision=85321
>>
>> Is there a past precedent for this?
>>
>
> Has any decision been made regarding CVE assignment for this? I've found
> some more python applications that aren't validating ssl certs, and am
> waiting to know how this is going to be handled.
>
> Thanks,
>
> Marc.
>
>
> -- 
> Marc Deslauriers
> Ubuntu Security Engineer     | http://www.ubuntu.com/
> Canonical Ltd.               | http://www.canonical.com/
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.