[VIM] Knowledgebases Remote Command Exucetion
security curmudgeon
jericho at attrition.org
Tue Mar 21 18:38:23 EST 2006
: The question is, how many new CVEs? Another area I've been struggling
: with lately is how to handle when the same issue - same attack vector
: and everything - occurs in multiple products by the same vendor. My
: current feeling (and that's all it is) is that if the products are
: clearly separable and don't obviously share any common library or the
: like, then I'll SPLIT them.
That is our criteria, but due to lack of code access is somewhat
subjective. If OSVDB feels that the same codebase was used in multiple
products, they get the same ID usually. If it was different code or very
likely different, they get split.
One time we deviate is in protocol implementation. The ISAKMP (or any
other PROTOS based disclosures) for example, got a couple entries (DoS and
unspecified) for all products, because it seems everyone implemented it
equally wrong.
More information about the VIM
mailing list