|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
clarification / statement on recent CVE abstraction policy changes and more
- To: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Subject: clarification / statement on recent CVE abstraction policy changes and more
- From: jericho <jericho@attrition.org>
- Date: Sun, 5 Mar 2017 18:41:52 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Delivery-date: Mon Mar 6 07:46:53 2017
- Importance: high
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
MITRE,Could you please give the board an update about recent changes in CVE entries? Three things jumped out on the latest batch:
1. The lack of a proper product name (e.g. CVE-2017-6478, CVE-2017-6479, CVE-2017-6480) 2. The use of arbitrary date-based "versions" that are not in line with the vendor versions. We usually see this with low-end researchers trying to pass off site-specific issues as products and using a date as the version (e.g. CVE-2017-6479) 3. An apparent change in abstraction rule where five IDs were assigned for XSS issues that previously would have received one ID (e.g. CVE-2017-6487, CVE-2017-6488, CVE-2017-6489, CVE-2017-6490, and CVE-2017-6491). It appears the only reason you abstracted is that different bug tracker tickets were opened, despite the same version being impacted, same researcher, same date, etc.The first issue is just odd, and seems like someone was in a hurry, but this is problematic to sites using CVE data to generate stats, as the product names potentially don't match prior entries. I also noticed that whoever made these recent entries didn't include the obvious fixing commits that were referenced in the bug tickets. Basically, just sloppy work.
The second one is very concerning, because yeah. I shouldn't have to elaborate on that one.
The third one just seems to break a long-standing abstraction policy. I have a feeling the "different tickets" will be the justification as mentioned above, but also fairly certain that multiple mail list posts (e.g. Bugtraq or Full-Disclosure) from the same person on the same date affecting the same version of the same product didn't warrant splits before.
Any clarity on policy changes regarding these issues would be appreciated. .b
- Follow-Ups:
- RE: clarification / statement on recent CVE abstraction policy changes and more
- From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: clarification / statement on recent CVE abstraction policy changes and more
- Prev by Date: Re: CVE for hosted services
- Next by Date: RE: clarification / statement on recent CVE abstraction policy changes and more
- Previous by thread: Re: CVEnew Twitter Feed
- Next by thread: RE: clarification / statement on recent CVE abstraction policy changes and more
- Index(es):