[Date Prev][ Date Next ][Thread Prev][ Thread Next ][ Date Index ][ Thread Index ]

Re: Simplified Draft Counting Paper for CVE Editorial Board Review

To : Kurt Seifried < kseifried@redhat.com >, Art Manion < amanion@cert.org >
Subject : Re: Simplified Draft Counting Paper for CVE Editorial Board Review
From : Pascal Meunier < pmeunier@cerias.purdue.edu >
Date : Thu, 7 Jul 2016 10:08:51 -0400
Authentication-results : spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cerias.purdue.edu;mitre.org; dkim=none (message not signed) header.d=none;
Cc : cve-editorial-board-list < cve-editorial-board-list@LISTS.MITRE.ORG >
Delivery-date : Thu Jul 7 15:21:39 2016
In-reply-to : <CANO=Ty0Js+wfgWj73jr6fuy6xRhpmbP5TgJCDm93EpdSR-L-NQ@mail.gmail.com>
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : <CY1PR09MB08731B8AFA8A70B3E69F46FEC7860@CY1PR09MB0873.namprd09.prod.outlook.com> <56FC3FFD.7070905@cert.org> <CANO=Ty0Js+wfgWj73jr6fuy6xRhpmbP5TgJCDm93EpdSR-L-NQ@mail.gmail.com>
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticmetadata : 43da9c421be74aed97248473db21fd15
Spamdiagnosticoutput : 1:2
User-agent : Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.1.0

The "incomplete fix == another CVE" mode of operation makes sense to me as the code base has changed, and presumably also the mistakes and assumptions made also changed, which is interesting academically and from a teaching perspective. The repeated attempts to fix something are interesting to me, and using different CVEs makes that easier to follow and examine. I believe this is fine and helpful. Additional coverage and linkage would be more the province of databases based on the CVE, or the CWE.


Pascal

On 03/30/2016 08:09 PM, Kurt Seifried wrote:

One thing to keep in mind I think is that at a high level CVE stands for
"Common Vulnerabilities and Exposures", so obviously it's used to track
vulns, but on the other side CVE is also heavily used to track
remediation,
be it software updates, workarounds, compensating controls, whatever. A
good example of this is the search results:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=incomplete+fix+for

I'm not sure we need to cover it much beyond the "incomplete fix ==
another
CVE", thoughts/comments?

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Next by Date: CVE Editorial Board teleconference summary - June 30, 2016
Next by thread: CVE Editorial Board teleconference summary - June 30, 2016
Index(es):
- Date
- Thread