[conspire] Trouble in CVE-land

Rick Moen rick at linuxmafia.com
Sun Mar 6 16:06:40 PST 2016 

Kurt Seifried on mailing list oss-security has started at
http://www.openwall.com/lists/oss-security/2016/03/04/4 a very
interesting thread about apparent wide dissatisfaction with the  Common
Vulnerabilities and Exposures (CVE) system -- and some people are
speaking of its breakdown.  The CVE system is administered by a heavily
Federal-influence non-profit corportaion, MITRE.  MITRE was founded in
1958 as a technical affiliate to the US Air Force, and stepped into
being the Certification and Accreditation (C&A) authority for CVEs
starting 1999.

Every time you see a distro update to fix a security hole, it cites one
or more CVE that it addresses.  Internet sites that handle credit cards
must periodically pass PCI (personal card industries) audits partially
on the basis of whether they have adequately addressed CVEs.  

In the modern world of security, CVEs are Important Stuff.

The current problem started when a bunch of security researchers
realised they were not the _only_ people unable to get CVE numbers
assigned to certain real security problem, that it was everyone, and
that there has been a troublesome trend at MITRE of reducing coverage.

Until now, it's been a common (and reasonable) assumption that any
significant security problem would be evidenced by a CVE.  I'm not sure
what all the ramifications of this story are, yet.  (Adjunct systems for
IDing security vulnerabilities do already exist to alleviate the logjam,
such as the OVE one:  http://www.openwall.com/ove  Though it has its
problems:  http://www.openwall.com/lists/oss-security/2016/03/05/9 )



----- Forwarded message from Salvatore Bonaccorso <carnil at debian.org> -----

Date: Sun, 6 Mar 2016 18:58:48 +0100
From: Salvatore Bonaccorso <carnil at debian.org>
To: Brian May <brian at linuxpenguins.xyz>
Cc: debian-lts at lists.debian.org, debian-security at lists.debian.org,
	debian-security-tracker at lists.debian.org
Subject: Re: tracking security issues without CVEs

Hi Brian, hi Paul,

On Sun, Mar 06, 2016 at 04:59:43PM +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
> > Just wondering if there is some other way we can track security issues
> > for when CVEs are not available.
> > 
> > Thinking of imagemagick here, it has a lot of security issues, and
> > requests for CVEs are not getting any responses.
> 
> Creating individual bugs in the Debian BTS, including more details
> like fixing commits would be a great start, since we use either CVEs
> or references to the Debian BTS in DSAs (and DLAs). Furthermore the
> security-tracker handles both (you can actually search items there via
> either CVE id, bug number or package name).
> 
> The original CVE request at
> http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not
> fully optimal, since it just pasted a collection of items. Adding
> references to fixing commits would have helped to get CVEs assigned to
> issues.  The original request at least makes it really hard to
> identify the issues and make sure the CVEs are assigned correctly.

Just one comment which I forgot to address in the previous mail,
regarding the OVE identifiers. The question about the CVE assignments
were just re-raised yesterday on oss-security. The whole might look
promissing indeed. But I think as well that is right now to early to
start adopting these for not yet assigned issues. Instead follow the
current discussion on oss-security and let's see if across
distributions there is going to be some consensus/approach for this
issue.

For the record, the thread is starting at 

http://www.openwall.com/lists/oss-security/2016/03/04/4

where Kurt Seifried from Red Hat raised the concern.

Regards,
Salvatore


----- End forwarded message -----

More information about the conspire mailing list