oss-security September 2010 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request: epiphany not check

Re: [oss-security] CVE request: epiphany not checking ssl certs

From: Michael Gilbert <michael.s.gilbert_at_nospam>
Date: Fri Sep 17 2010 - 18:58:55 GMT
To: oss-security@lists.openwall.com

On Fri, 17 Sep 2010 14:45:28 -0400 (EDT), Steven M. Christey wrote:
>
> If an application does not advertise a security feature, then in general
> we will not give a CVE because of its absence of the feature (I don't want
> to give out 50,000 CVEs for every protocol that does cleartext
> transmission... or uses DES... etc.) Similarly, we generally avoid
> assigning CVEs to "defense in depth" fixes, although the line between
> "vulnerability" and "defense in depth" can get fuzzy.
>
> The http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564690#5 title says
> "Does not longer check certificates" which could be interpreted to mean
> that it used to check certs, and now it doesn't. If that's the case, then
> it makes sense to assign a CVE.

The feature was lost in the transition from gecko to webkit (or more
accurately libsoup for certificate support). I think it makes sense to
assign an id since it does involve the loss of an expected security
feature.

Mike