oss-sec mailing list archives

Re: Re: CVE's for SSLv2 support

From: Bob Beck <beck () openbsd org>
Date: Tue, 1 Mar 2016 14:23:39 -0700

On Tue, Mar 1, 2016 at 12:12 PM,  <cve-assign () mitre org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

If a crypto library (e.g. OpenSSL, NSS) supports AND enables SSLv2 by
default should it receive a CVE?


There's no general answer to that question. CVE ID assignments are not
based on outsiders making guesses about the expectations of a product's
customers. For example, there might be a crypto library intended for
communication on isolated networks to high-value embedded devices that
support only SSLv2, and cannot and will not ever be updated.



What.. like... I have an embedded high value device that only supports
TELNET to access it.. OMG please give me a CVE?

replace SSLV2 in the above sentence with telnet or ssh v1 for that
matter and you have the same issue.


- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW1ekCAAoJEL54rhJi8gl5dQEQAK5x43W8Q157sNT4gUg8rQtS
U0UlnjmsT1S40FlNiwZpK5IPkE7hdeTeiWUoFMsvc13vtlfpwfHCBfb05B5fcQBP
2b3ssj49aH5yXVxnGE2ab6W5c63wN2jkbBBihVBXZ8SB9h4tNNSey+7dJrLyMqi0
Um76Tv5htBbpm+6UtlgN7zV3tT9MIe6bZI/b7xxuf23nM8/mBvc1nX8dpCFF16og
ks9d9A1Rnn79xCvWZ++jR8PRlmFwmLym/PEQulJ6k4WQdOECH78ytYWg9MG7EuIg
6PbKloy7u36+ZgrUXxYnydoH834H6yOQIPro7hARFA0fpkbmydBJKnP4letuVS5w
S89g15c2ymxIyKaKy+qT31LEKBGf+N6vPoPNL/IWeRh+8GmSyWkWF7Rx0CboFCTs
7+Ft9T+0Lfi6bYkYqAFUVe8gBkM84tLR+4HXgkANLAfhLEsKaCYqAkNYlbDvCXtB
RyFZHcVhp8XYWx7b5YN3BBB5VWK/fS8y8ilHaf143Bkbn+Yu6yrFb+DIAYhKPPAI
1CURZksBwzSSjiprsExD4dODDJGzl/0khHdkDkdZp7o9drt3D4VkKGgkBPoG5NFk
cX1XQc6o3Hv72oYFLyatCA5H8k9HZLEUjl8cYuf/QIvfwJwjlLqZ+HrPWvs2SY5C
K4C7mIXfd9Iem6DqXfNK
=ylcp
-----END PGP SIGNATURE-----

Current thread:

Re: CVE's for SSLv2 support, (continued)
- Re: CVE's for SSLv2 support Loganaden Velvindron (Mar 01)
  - Re: CVE's for SSLv2 support Grant Ridder (Mar 01)
  - Re: CVE's for SSLv2 support Stuart Henderson (Mar 01)
- Re: CVE's for SSLv2 support gremlin (Mar 01)
- Re: CVE's for SSLv2 support cve-assign (Mar 01)
  - Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
    - Re: CVE's for SSLv2 support cve-assign (Mar 01)
    - Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
    - Re: CVE's for SSLv2 support cve-assign (Mar 01)
    - Re: Re: CVE's for SSLv2 support Tim (Mar 01)
    - Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
    - Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
    - Re: Re: CVE's for SSLv2 support Bob Beck (Mar 01)
    - Re: Re: CVE's for SSLv2 support Kurt Seifried (Mar 01)
    - Re: Re: CVE's for SSLv2 support Steve Grubb (Mar 02)
  - Re: Re: CVE's for SSLv2 support Seth Arnold (Mar 01)