Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201211091603.qA9G3Tu3011820@linus.mitre.org>
Date: Fri, 9 Nov 2012 11:03:29 -0500 (EST)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, matthew.wilkes@...ne.org, jpokorny@...hat.com,
        security@...ne.org
Subject: Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>It looks like some of these can be CVE merged, e.g. 14 and 15, 1 and
>5, can you confirm that these should not be merged?

Thanks for constructing this comprehensive table, but please do not
merge 14 and 15, or 1 and 5.

CVE assignment by MITRE most often has merges when the available
information suggests one of these two situations:

  A. Flaw types that have been used for many years and are thought to
     be well understood. At present, a large fraction of our merges
     are for XSS, SQL injection, CSRF, buffer overflows, integer
     overflows, use-after-free issues, and directory traversal.
     However, a merge can occur correctly for any flaw type.

  B. The multiple pieces of disclosed information are identical except
     for names and values. This occurs, for example, in disclosures of
     incorrect permissions for multiple files. Another example is bad
     passwords for multiple accounts.

At this point in the history of CWE, a discloser's choice of the same
CWE identifier for two different bugs might not be a strong indication
that a CVE merge should occur.

When a merge decision is unclear, it's almost always better not to
merge. From the perspective of MITRE in producing CVE content, one
primary reason is that a merge can make a CVE description difficult to
understand. There are other reasons that are more important to other
audiences. For example, some CVE consumers don't like situations in
which a vendor publishes multiple disclosure documents that explain
different aspects of the same CVE. Other CVE consumers don't like a
shared name for two bugs that they will always discuss separately.

In the current case, we don't want to debate whether the CWE choices
are "right" or "wrong" but instead just briefly indicate that there
may be multiple perspectives and thus the merge decisions are unclear.

14 and 15: One might argue that these are different because 14 is
about algorithmic complexity but 15 isn't.

01 and 05: One might argue that these are different because 05 is
about incomplete security declarations but 01 isn't.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)

iQEcBAEBAgAGBQJQnSazAAoJEGvefgSNfHMdP5MIAILyoTU/UROVI8Bm0gQTgHwC
V1gV5jVjA0NZs5tjcAAodSHPQIHBkxelvJvxwzEsRw43BDgRINtdtbn3JFHXgrv/
iapc+uubGmik8d+jzxLU/XhiA4xhq9IvTsWIMOHpbq7Q6WNa63HR4E3/3IrI0wei
KnINO4aVwSklNYz2wAugll07/GLHMeMRUfWbJOb4aVY9wiDFcsUW39bdmFaAfmv3
1QVCwL3n74HAIYQSZsg4O1JrVe5tIfae0aHpto+0ATK21rc1/09tZyhnblUsOMbd
QJQ5EKYusDVIXoMq4Ay489AyLq8jlaHNkfeSpsw8O0sEM0I6ngTuCemzaSZP3mM=
=QuVC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.