[VIM] 267 Missing CVE in Jan, 2013 - please assign
Brian Martin
brian at opensecurityfoundation.org
Wed Mar 20 15:11:47 CDT 2013
On Wed, 20 Mar 2013, Kurt Seifried wrote:
: > http://preview.tinyurl.com/2013-01-missing-cve
: How have you confirmed that no cve is assigned? E.g. a quick look and I
: see at least one for which I assigned CVEs publicly:
The current system makes that time-consuming and 'cost' prohibitive to us.
There are too many CNAs operating, and the current system is not designed
to allow a CNA-assigned ID to appear in a central location (e.g.
cve.mitre.org) to verify. As you mentioned in your previous mail to VIM,
if a system was in place so we could see the assignment, even if the CVE
has not been completed (e.g. the text, x-refs to the usual VDBs), that
would be extremely helpful. Having to wait months to see the actual CVE is
problematic.
: http://direct.osvdb.org/show/osvdb/89328
: Piwik Multiple Unspecified XSS
: http://piwik.org/blog/2013/01/piwik-1-10/
:
: I assigned the CVEs here:
: http://www.openwall.com/lists/oss-security/2013/01/17/15
:
: based on the same url as you
: (http://piwik.org/blog/2013/01/piwik-1-10/). So I can't simply use
: this list to assign CVE's for the Open Source stuff since it is
: incorrect (e.g. stuff for which you say no CVE is assigned do have
The list isn't "incorrect", we simply missed one (likely a few) CVE
assignments, again because of the varied places they can pop up for
initial disclosure. While we follow OSS-Sec almost daily, sometimes the
delays in assigning via that list (e.g. when there is discussion leading
up to the assignment) is substantial as well.
: CVE's assigned). I also don't have the time to confirm a CVE was not
: assigned through some other method (e.g. via Mitre/etc.).
Neither do we. We already spend a *lot* of time trying to get timely CVE
information added to our entries. So I asked CVE to deal with these
assignments, not you, or OSS-Sec, or any other CNA.
: Also for the vendor stuff like Apple/Adobe/Google where that vendor is a
: CNA have you reached out to them to confirm no CVE is assigned and/or
: get a CVE assigned as needed?
Honestly, no, and it shouldn't be our job to do that. If a CNA is
releasing security fix information themselves, and not assigning a CVE
promptly, AND including it in the public source we got the information
from, then their CNA status should be revoked. They completely miss the
point of CVE. If Google is a CNA, and there is a security-related
Chrome/WebKit issue in their tracker, then a CVE should be included with
it as soon as it is identified as security-related. If that is too much to
ask, they don't need to be a CNA, when other CNAs (e.g. you) are
incredibly responsive and very quick to assign.
Using your example above, if a WebKit issue is deemed security related,
who exactly would issue the CVE in that case, if both Apple and Google are
CNAs? They both contribute to the project. I don't know about you, but I
would rather not hold my breath while those two organizations bang their
heads together for a few days or weeks trying to figure out who gets to
assign. Google is already doing a MISERABLE job in making their
vulnerabilities clear. The last 30 days, Carsten Eiram has found an
incredible number of "Chrome" vulnerabilities that are really WebKit, and
potentially affect more browsers than just Chrome.
I understand that CVE is strained under the pressure of assignments
lately, and the last year of board meetings have made it clear that they
simply can't keep up. Knowing that, I think CVE should focus on
streamlining the process to assist the community, rather than keep doing
the same thing. Just like CVSS is on v2, with v3 in the works, CVE needs
to evolve every couple of years to handle the work load.
Also note that my mail requesting these CVEs was half in jest. Sure, I
would love to see a CVE assigned for every known issue, but they have made
it clear that can't happen most likely. Hell, even you have told Debian
"no" when they gave you a concise list of security issues and asked for
CVE identifiers. Rather than work through the list, you said they had to
post to OSS-Sec to request them. I understand your decision to do so, but
it also speaks to the problem of volume.
Earlier last year I suggested that CVE utilize more CNAs to handle this. I
still advocate that, but I must ammend my suggestion to include
"responsible CNAs", as most operating these days are not so helpful.
Brian
More information about the VIM
mailing list