[技术]CD:模糊(模糊的供应商描述漏洞)

这张CD,而新创建的,确定并试图解决一个古老的问题。编辑委员会成员投票将引用CD:模糊的“分析”部分中候选人所影响这CD。——史蒂夫* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * CD:模糊(模糊的供应商的描述漏洞)* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *类型:抽象,包含最后更新:2月17日2002 CD:模糊的CVE内容决定,处理情况下,供应商发布安全公告或其他类型的警报,但细节描述包含少于其他CVE内容所需的决定。CD:只有模糊的CVE内容决定,可以影响夹杂物(一个问题应该包含在CVE吗?)和抽象(我们如何区分密切相关的问题?)。模糊的警告或高层影响CVE漏洞报告有以下:-包含cd:一些编辑委员会成员认为,如果一个问题是含糊地提到的,它没有足够的信息来提供一个有用的描述,所以它不会在CVE“应得的”。——抽象cd:当一个漏洞描述模糊,很难适用于其他CVE内容决策来确定(一个)问题是否复制现有的CVE候选人或条目,和(b)什么是正确的抽象级别。此外,候选人的模糊的描述增加映射CVE-compatible产品中的错误的风险,即CVE-compatible供应商可能不小心地图数据库中的一个问题CVE条目因为这个问题完全匹配条目的模糊描述。对供应商确认,偶尔也有影响,它对选举的影响。例如,一个候选人详细Bugtraq后可能不会得到足够的选票,因为董事会成员不能接受复制这个问题,但可能会有不同的候选人有一个模糊的咨询,解决了问题。有证据表明,不同的脆弱性信息来源(数据库、警报摘要等)使用不同的方法来决定是否一个模糊的咨询解决同样的问题,这个问题是详细报道。CD:模糊的、与其他内容的决策,有效地提供这种差异跨脆弱性数据源的名称。 DESCRIPTION ----------- Following is the description for CD:VAGUE. 1) If a vendor releases a vague report of a security problem, then even though there is insufficient detail, the problem should be included in CVE since (1) it is related to security (since the vendor claims it is related to security), and (2) it is known to be real (since the vendor reported it). 2) Unless there is sufficient evidence that the vague advisory is addressing the same issue as identified by another CVE item, it should be distinguished from that item. RATIONALES ---------- INCLUSION: In several cases in the past, one or more Editorial Board members have voted to REJECT or at least REVIEW a candidate because its description was too vague, even when there was a vendor security advisory associated with it. However, the vendor is reporting on a problem that it believes has security implications, and that system administrators should take care of. Also, someone malicious may discover it in the future, or already know about it. There is sufficient evidence that the problem is real, and the vendor believes that it has security implications. Therefore it should be included in CVE. ABSTRACTION: It can be difficult to determine whether the vague advisory is a duplicate of an existing CVE candidate or entry, which may have more details. Sometimes, the vague advisory is released months or sometimes years after more detailed reports have been reported. If the advisory doesn't include information that (such as cross-references) that clearly links the issue to other CVE items, then it should be kept separated from the other CVE items, and the possible relationship should be noted. Also, when several closely related issues have been discovered before the vague advisory has been released, it is not clear whether the advisory addresses one, some, all, or none of the reported issues INCLUSION EXAMPLES ------------------ CAN-2001-1061 shows that a vendor has fixed a problem that the vendor claims is security-related, but there is insufficient information for understanding why the issue is related to security. Candidate: CAN-2001-1061 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1061提议:20020131分配:20020131类别:科幻参考:AIXAPAR: IY22255参考:网址:http://archives.neohapsis.com/archives/aix/2001-q3/0003.html脆弱性在lsmcode未知版本的AIX,可能相关的用法错误。分析- - - - - - - - - - - - - - - - -供应商确认:是的内容决定:模糊的CD:模糊的状态,如果一个供应商发布一个模糊的报告的安全问题,虽然没有足够的细节,应该被包括在CVE的问题。全文AIXAPAR: IY22255说:文摘:安全:脆弱性LSMCODE问题描述:客户不接受使用错误当指定一个无效的类型为LSMCODE命令行选项。问题总结:检查从命令行提供的类型。如果不支持类型,显示一个使用错误。从这个描述不清楚如何使用错误的缺乏意味着一个漏洞。然而,IBM说,有一些安全问题。这是另一个例子的候选人。= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2000 - 0173网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2000 - 0173最终决定:阶段性裁决:修改:建议:20000322分配:20000322类别:科幻参考:上海合作组织:某人- 00.08参考:网址:ftp://ftp.sco.com/sse/security_bulletins/sb - 00.08 a在上海合作组织UnixWare 7.1鳗鱼系统的脆弱性。x允许远程攻击者造成拒绝服务。推断出行动:- 2000 - 0173 SMC_REVIEW(3接受,2审查)目前投票:接受(2)布莱克,科尔弗伦奇等待修改(1)(4)Ozancin,勒布朗,普罗塞,墙审查(2)征税,Christey选民的评论:普罗塞>虽然上海合作组织报告的问题,有太少的信息可用来做出明智的决定。无法找到任何地方。这是一个事件日志记录系统,所以人会假设有一种方法可以把日志和导致系统停止,但无法确认这有限的信息。Christey >也许我们应该创建内容决定,CD说:VAGUE-ACK,说它是否合理接受vendor-acknowledged问题不提供任何重要的细节,作为在这个候选人以及其他几个人。科尔>我研究这一点,你可以改变我的等待一个接受弗雷希> XF: sco-eels-dos抽象例子- - - - - - - - - - - - - - - - - - - - - - - 2001 - 0935是一个模糊的Linux在wu-ftpd咨询相关问题。请分析部分。= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:可以提出- 2001 - 0935:20020131分配:20020131参考:SUSE: SuSE-SA: 2001:043参考:网址:http://www.suse.de/de/support/security/2001_043_wuftpd_txt.html脆弱性wu-ftpd 2.6.0,可能是早期版本,这无关ftpglob可以- 2001 - 0550中描述的错误。分析- - - - - - - - - - - - - - - - -供应商确认:内容决定:SF-LOC,模糊的抽象:SUSE咨询了ftpglob缓冲区溢出(- 2001 - 0550),然后国家“几个星期前,一个内部源代码审计wu-ftpd 2.6.0由托马斯•原色哔叽SUSE安全,透露了一些其他安全相关的bug,是固定的。”It provides no other details, so this problem should be distinguished. There are no other details, so the CVE description is vague. INCLUSION: CD:VAGUE suggests that when a vaguely worded advisory is posted by a vendor, that it should still be included in CVE because there is sufficient evidence that the problem is real (since it came from the vendor). The following candidate is an example of a vague description that could apply to a number of potential products or vulnerabilities, some of which may already have CVE names. In addition, other CVE content decisions cannot be properly applied. ====================================================== Candidate: CAN-2001-0772 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0772提议:20011012分配:20011012类别:科幻参考:惠普:hpsbux0105 - 151参考:网址:http://archives.neohapsis.com/archives/hp/2001-q2/0044.html参考:XF: hpux-cde-bo(6585)参考:网址:http://xforce.iss.net/static/6585.php缓冲区溢出和其他漏洞在多个常见的桌面环境(CDE)模块在hp - ux 10.10 11.11允许攻击者可能导致拒绝服务和获得更多的特权。分析- - - - - - - - - - - - - - - - -供应商确认:对咨询内容的决定:SF-EXEC, SF-LOC,模糊的抽象/包含:有各种各样的漏洞在CDE模块。惠普咨询并没有提供足够的细节来知道惠普解决已知的漏洞还是新的。因此这个项目可能重叠其他CVE条目或候选人。咨询也意味着还有其他类型的问题除了缓冲区溢出。CD: SF-LOC建议创建单独的候选人对于每一个问题,但由于咨询没有提供细节,它不能确定有多少候选人应该创建。因此这个候选人显然比平时更高层次的抽象。目前投票:接受(4)贝克,Foat,科尔,弗雷希无操作(2)墙,阿姆斯特朗回顾(1)Christey选民的评论:Christey >有一些重叠可以- 2001 - 0551 - 2001 - 0772。- 2001 - 0551可以描述一个特定dtprintinfo脆弱性。惠普承认- 2001 - 0551,可以说明问题是固定在惠普:hpsbux0105 - 151, - 2001 - 0772。 But CAN-2001-0772 is a vague advisory that identifies other vulnerabilities (and vulnerability types) besides CAN-2001-0551. Perhaps CAN-2001-0772 should be RECAST to "remove" the reference to dtprintinfo and leave the other vague descriptions. CAN-2001-0772 and CAN-2001-0551 are very good examples of the problems that CVE faces in being consistent with respect to the level of abstraction, as documented in the CD:SF-CODEBASE, CD:SF-LOC, and CD:VAGUE content decisions.