再保险(CD): CD建议:SF-LOC(软件缺陷在不同的行代码)

> - - - - - - - - - - - >从原始信息:aleph1@SECURITYFOCUS。COM (mailto: aleph1@SECURITYFOCUS.COM]> * Steven m . Christey (coley@LINUS.MITRE.ORG) 000613年[16:17]:> >比尔Fithen说:> > > > > > * 4)如果P1和P2不固定由相同的补丁,补丁或设置> > > > >之后,他们必须保持分裂。> > > > > > > >我觉得这个规则不适合CVE的目的……供应商> > >包软件根据其业务规则,而不是> > >根据软件的技术内容……> > >最下面的这一个重点是脆弱的> > > > > > >的相关软件工程实践。这个规则不是。> > > >所以这些规则,而远离看着虫子> >本身,是为了找到“证据”,将帮助我们> >做出合理解释和可重复的决定> >没有好的事实。说,补丁> >实现不同可能需要至少一个> >“证据”的重新排序规则。>而同情我同意法案。一个补丁真的没有提供>强大的“证据”,两个漏洞是相同的>,除了供应商决定同时修复它们。当我们发布公告,我们通常说的问题是否固定都是同样的问题的一部分,或者,我们只是碰巧得到2缺陷在同一地区,所以对每个人释放1次2的问题。 I would say that vendor input should be a strong determining factor on this one, but that absent any vendor information we ought not make that conclusive evidence. Also, matters are pretty simple with respect to a hotfix, but a full service pack could fix a large number of bugs, many of which may not be related. This difference between a hotfix and a service pack is also specific to Microsoft, and other people will probably do things differently. To use the example of vendors who only cut new releases, then we have additional complications - if there are code deltas between that version and the previous version other than those associated with a patch, then we could have a situation where unrelated bugs are also fixed or even caused by a particular version change.