再保险:临时决定:接受5 SA类别候选人最后(9/28)

“有效”和“任何”部分的描述问题;如果一个人(一个人,一个id、一个扫描仪,等等)想报告一些关于手指(我看到的使用手指,手指在此主机上运行,等等)使用CVE一个不应该背负着要求确定服务返回_valid_数据。此外,服务不需要提供给每一个(即。“任何”)网络上的主机构成一个问题。这两个组件的确定曝光是一个问题,但不应接触定义的一部分。多一点。还有许多其他的情况下,我们可以认为,因为数据是无效的,过滤器或包装将帮助,或别的东西,那么脆弱或接触你认为系统X真的不存在。例如,我的傻瓜证明chroot环境中特定的web服务器上运行的虚拟机内部(插入你喜欢尽可能多的保护),所以,公积金攻击你的扫描仪说我脆弱,或你的id看到使用,或您的系统管理员注意到是有可能的,这对我来说不是一个漏洞。当然,我们仍然需要公积金的CVE条目。所以当我们或我们的工具报告存在的CVE # X,这真的意味着(X是否漏洞或曝光)X _potentially_是个问题。 To know for sure one must assess the situation in light of policy, network configuration, the existence of special countermeasures, etc. So, lets not refer to the validity of the data, or similar such things, in the CVE! If I understand Spaf's reasoning, the heart of the exposure is that user information is returned. The vehicle (in this case) is finger. So I suggest the following: - The exposure is: "User information is disseminated" (or some such thing) - A particular instance of this would be finger. Also, rusers, rwho, ... I suggest using the dot notation here to make each different service a separate entry. Bill Gene Spafford wrote: > At 12:00 PM -0400 9/28/99, Steven M. Christey wrote: > > >Note that the entry says "the finger service is running" . It does > > >not say that the original, unmodified service is running. > > > >How about this: > > > >"A version of finger is running that releases valid user information > >to any entity on the network." > > I would be happier with this and similarly modified descriptions for > the other services. > > --spaf
开始:名片n:希尔,威廉电话;工作:703-883-6416 x-mozilla-html:真正的组织:公司adr冠冕:;;多利·麦迪逊大街182manbetx客户端首页0,麦克莱恩;弗吉尼亚州;22102;版本:2.1邮件;互联网:bill@mitre.org标题:信息安全工程师fn:比尔山结束:名片

S / MIME加密签名