再保险:[技术]重复的候选人——应该更喜欢哪一个?

解决两个问题:1。的便利和记录,我(ISS)代理代表的已经发送横切一个加密复制我们的顾问对候选人分配草案超过一年。我发现它更容易出错和低于假设问题是新的。整个交换处理在密文,横切破坏所有记录的对话后已经完成了任务。有一个非常现实的担忧在国际空间站的“泄漏”预发布材料由第三方。这发生,我相信我的$ $将强大的痛。横切为空间站提供了一个官员和军事声明他们会和不会做什么机密和私人内容,包括保密的问题,信息处理和候选人任务后立即处理。2。至于哪个候选人推动,国际空间站X-Force使用类似的协议副本之间的选择。如果问题是与一个产品或CVE(即。更“官方”),然后我们促进它。 Otherwise, we promote the first-entered issue. In either case, we sync the references and information to the promoted issue, and NEVER delete the obsoleted issue. These guidelines have worked for us more times than I'd like to admit. :-) --Andre Andre Frech X-Force Security Researcher Internet Security Systems (ISS) 6303 Barfield Road Atlanta, Georgia 30328-4233 Internet Security Systems -- The Power to Protect -----Original Message----- From: Steven M. Christey [mailto: coley@linus.mitre.org发送:周二,2001年2月27日36点:cve-editorial-board-list@lists.mitre.org主题:[技术]重复的候选人——应该更喜欢哪一个?所有,如果您一直在阅读Bugtraq、然后你可能已经注意到,@stake和微软最近发布报告关于名片缓冲区溢出(女士:ms01 - 012),这是给定一个考号- 2001 - 0145,这是包括在@stake和微软警告。然而,事实证明,这个问题最初是在2000年发现并公布;分配可以- 2000 - 0756,提出了9月份编辑部。由于安德烈·弗雷希让我注意到这个问题,我一直在旅行。影响候选人的信息包含在最后的消息。所以,现在我们有2宣传候选人描述相同的漏洞。这将是一个话题的讨论在董事会会议上,但本周有效被公开,所以我想早点开始。重复的问题预计将增加考生介绍了脆弱性周期早。不幸的是,这已经被证明属实。 Duplication becomes especially risky as vendors and researchers exchange candidate numbers without including MITRE as a third party. I've been referring to this as "blind candidate reservation." Despite the increased likelihood of duplicate candidates, the benefit of blind candidate reservation is that there is one less organization to accidentally leak information before it is publicized (i.e. MITRE); the candidate review process can resolve the duplication. When duplicate candidates arise, we must ultimately decide which candidate should be promoted to an entry. In the August 2000 meeting, the Board said that MITRE could decide this issue themselves. However, I'd like to consult you again, now that we have a more concrete example to work with. (A similar issue arose in November when ISS and NAI discovered extremely similar vulnerabilities as documented in CAN-2000-0885 and CAN-2000-0817, but that situation is more complex, since it also involves content decisions). Following are the guidelines that I've been considering for handling duplicates: - promote the more "official" candidate to an entry (e.g. if it comes from a CERT advisory or a vendor advisory) - if all else is equal, then promote the candidate that was first made public In this case, since CAN-2001-0145 came from Microsoft, i.e. an official source, then it might be preferred over CAN-2000-0756, even though CAN-2000-0756 was publicized in September 2000. The argument for preferring CAN-2000-0756 would be that it's been around for a longer time. It's possible that Microsoft could change their reference back to CAN-2000-0756. However, the bulletins have probably reached a wider audience than CAN-2000-0756 itself has (since it probably hasn't made it into many tools, and it wasn't included in the original Bugtraq post). So, CAN-2001-0145 is perhaps better known than CAN-2000-0756. The guidelines suggest that CAN-2001-0145 would be promoted instead of CAN-2000-0756. So, is that reasonable? - Steve ====================================================== Candidate: CAN-2000-0756 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2000 - 0756最终决定:阶段性裁决:修改:建议:20000921分配:20000919类别:科幻参考:BUGTRAQ: 20000831电子名片DoS Outlook 2000参考:网址:http://www.securityfocus.com/templates/archive.pike?list=1&msg=SpringmaiURL l.105.967737080.0.16997300@www.springmail.com参考:报价:1633参考::http://www.securityfocus.com/bid/1633Microsoft Outlook 2000不正确流程长或畸形的字段在名片(.vcf)文件,它允许攻击者造成拒绝服务。推断行动:- 2000 - 0756 SMC_REVIEW(3接受,2审查)目前投票:接受(2)科尔,利维修改(1)勒布朗审查(2)Christey,墙选民的评论:勒布朗>——如果KB文章,公告,或者补丁可以被发现,然后我接受Christey >这是一样的:女士ms01 - 012(- 2001 - 0145)可以看到乔尔·摩西Bugtraq邮报:http://marc.theaimsgroup.com/?l=bugtraq&m=98322714210100&w=2在撰写本文时,它是不确定哪个候选人应该首选:候选人已经公开已知的时间(即可以- 2000 - 0756),或更多的“官方”候选人,可能已经被公布更多(例如可以- 2001 - 0145)。= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0145网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0145最终决定:阶段性裁决:修改:建议:分配:20010210类别:科幻/ CF / MP / SA / /未知参考:女士:ms01 - 012参考:网址:http://www.microsoft.com/technet/security/bulletin/ms01 - 012. - asp参考:ATSTAKE: A022301-1参考:网址:http://www.atstake.com/research/advisories/2001/a022301 - 1. - txt缓冲区溢出的名片处理程序在2000年和98年前景,和Outlook Express 5。x,允许攻击者执行任意命令通过一个畸形的名片生日字段。推断行动:- 2001 - 0145能分配(分配20010210)目前的投票:回顾(1)Christey选民的评论:Christey >在Bugtraq、乔尔摩西指出,这是一个重复的可以- 2000 - 0756:http://marc.theaimsgroup.com/?l=bugtraq&m=98322714210100&w=2在撰写本文时,它是不确定哪个候选人应该首选:候选人已经公开已知的时间(即可以- 2000 - 0756),或更多的“官方”候选人,可能已经被公布更多(例如可以- 2001 - 0145)。