Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <51F0E89D.7010806@redhat.com>
Date: Thu, 25 Jul 2013 02:58:05 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Matthew Wilkes <matt@...distillery.eu>
Subject: Re: Re: CVE Request - PloneFormGen, multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2013 07:53 AM, Matthew Wilkes wrote:
>> Sorry thought i had replied to this. I need links to the code 
>> commits/vuln code so I can confirm these.
>> 
>> To reiterate: so I can confirm CVE assignments, and prevent
>> duplicate assignments you *MUST* provide links to the code
>> commits/vulnerable code. I don't have the time to go hunting
>> through your source code for them. People need to start making
>> better CVE requests, or you're not going to get CVEs from me.
> 
> Sorry, I wasn't aware you'd be wanting to trawl through the source 
> yourself, tried to provide enough context in the original.

Quite honestly I want to go through your source code, or for that
matter any ones source code I'm not personally responsible for like I
want to get kicked in the face by a horse.

But I also want to make sure CVE's get assigned correctly. So three
main problems arise:

1) Does the issue(s) need a CVE? sometimes they are security hardening
that look a lot like security vulnerabilities, but ultimately are not
(see Steven's recent email about timing attacks/user name disclosure
in Django for a good example of this).

2) incorrect SPLIT/MERGE of issues (it can be subtle)

3) duplicate CVE assignments

Having QUICK access to the source code vulns/corrections makes all the
above much much easier.

Plus I'm not the only one analysing these issues, other open source
vendors who ship your code may want to back port the fix, or make sure
the fix is correct, or look for similar problems in your source code.

Then you've got companies like iSIGHT Partners and iDefense (whom I
formerly contracted for) that are just two of literally HUNDREDS of
companies that go through all the stuff posted here (and
Bugtraq/Full-Disclosure, and every other security list on the planet).
This means rather then HUNDREDS of people having to hunt down the
specific source code links/patches the original CVE requester makes
sure it gets taken care. This scales and is much more efficient. Plus
the original requester is a lot more likely to get it correct.

You're not asking for CVE's in a vacuum. CVE's are widely used by
literally millions of people and organizations, we need to make sure
they are done right or we will cause an obscene amount of time and
money to be wasted.

CVE assignment to follow tomorrow because it's 3am here.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR8OidAAoJEBYNRVNeJnmTR9QP/i0mhCdFmjd5jhLznVHOspzs
cutqLnLEifmdUx5b6pEdBeV/4xIToEpA4NSXUH9k0wm5oJVTQAMznavRVrsAPyro
pGzgZr8CdY//NuFrfcK02qwBTwwvevVmPt1zWLSe+PJ4oxEj6tILxqUKEIolDri3
QMUOs2Yr+GQOEa50Al4GraDHSQOPjdzI4hmQ4gOwOH6JA5It7+dTePvtCMj18Sof
Wq9vBitqog7WMdT8C5vKx//DgP/Wrk6kDsdLCIxjrRhAuApExnCr7W+WjBfKe1rH
LRT82Fxoe0TnGH+0RrH3Z1UEJkAyGtv2WEePCU7eSHubwndq2lt0ewACW+hK/fsr
kMvdNBvlPC877RkvHLEznJSII5cAXBdEHhDnBgRlnR7mWrAMdaoTkyvLJNUm3Swy
p0mfuLXDu7e1O+pKhQbHjykv27bunIMa0i1pHJ5fx3EXsB4mvei+CNt9/1VzgySO
HbSVcOMBX05o/pCwpaAyrwfMsNwCqWNXZRCkrmu+LwuZg7SJDy4YHXuDgWuwd/7D
ASuiLB/ue2syXyJs8ImWSSrzsl62SH8F4LZRqiaEZbO3Shdiko75pMAZpBTsi3qL
/6mv7l84YEKir8McUwuMp6U8MTXxTbSR2VAnrQvuEVWC1ydK5VZz0A4Cw3lwG6d7
roWkIh0hY2cJZwEPkX2r
=8Vjl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.