|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE-2017-7269 and abandonware
- To: Art Manion <amanion@cert.org>, "cve-editorial-board-list@lists.mitre.org" <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: Re: CVE-2017-7269 and abandonware
- From: "Landfield, Kent B" <kent.b.landfield@intel.com>
- Date: Thu, 30 Mar 2017 14:33:23 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=intel.com;
- Delivery-date: Thu Mar 30 10:50:47 2017
- In-reply-to: <61d7bb21-5632-b826-b289-661d0fd27209@cert.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <61d7bb21-5632-b826-b289-661d0fd27209@cert.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- Thread-index: AQHSqV2Wf4qOA0cEoEagzLggFmtUXKGtk/eA
- Thread-topic: CVE-2017-7269 and abandonware
- User-agent: Microsoft-MacOutlook/f.20.0.170309
From my perspective... I would like it to be the vendor CNA if one
still exists. If the vendor refuses or is no longer in business, then
next up would be to go to a secondary CNA such as you list.
I would hope the vendor would want to issue that themselves even if the
product is EOL. There is concern in various circles that this type of
acknowledgement from the vendor on an EOL’ed product could cause some
liability on that vendor. Abandonware is going to become more and more
of a problem with the new emerging device landscape. Who owns the
problems they create?
This is actually a great conversation for the Board to have.
---
Kent Landfield
+1.817.637.8026
On 3/30/17, 8:52 AM, "owner-cve-editorial-board-list@lists.mitre.org on
behalf of Art Manion" <owner-cve-editorial-board-list@lists.mitre.org
on behalf of amanion@cert.org> wrote:
Who issued CVE-2017-7269 (IIS 6 WebDAV vulnerability)?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269
What are the assignment rules for abandonware (or unsupportedware)?
Is the vendor CNA primarily responsible, if one exists?
Next, is it up to a more generic CNA like MITRE, DWF, CERT/CC,
JPCERT/CC?
- Art
- Follow-Ups:
- RE: CVE-2017-7269 and abandonware
- From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: CVE-2017-7269 and abandonware
- References:
- CVE-2017-7269 and abandonware
- From: Art Manion <amanion@cert.org>
- CVE-2017-7269 and abandonware
- Prev by Date: RE: CVE/CNA coverage
- Next by Date: Re: CVE/CNA coverage
- Previous by thread: CVE-2017-7269 and abandonware
- Next by thread: RE: CVE-2017-7269 and abandonware
- Index(es):