[VIM] Re: A few more apps vulnerable to PHP XML-RPC exploits (fwd)

[security curmudgeon]

: > We're still debating on whether this gets one entry in OSVDB, or gets
: > broken out (like CVE appears to be doing).
: 
: CVE is doing this by accident because certain applications aren't 
: directly saying that they're vulnerable to this particular problem, and 
: we've only just become aware of how much this is being used.
: 
: The normal approach in CVE is to assign one identifier per codebase, 
: regardless of how many applications use it.  This obviously has its own 
: difficulties, especially for people who use CVE to track vulnerabilities 
: in specific deployed applications in their enterprise.  On the other 
: hand, if someone asks "hey, I've been hearing about this XML-RPC bug, 
: does product X have it?"  they have a better chance of answering that 
: question. This is one example why CVE is an 80% solution for everybody 
: but not a 100% solution for anybody.

Right. I certainly see value in breaking it out by product, especially 
when implementations may vary a bit or there are other mitigating 
circumstances that are product/vendor specific.

: zlib is another good example of a library that's heavily used across 
: many products.

Yah, these two vulns (zlib/xmlrpc) are fairly nasty due to that alone.