Re: What does it mean for a vulnerability to be retired?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Under the "Discussion" tab for this securityfocus.com BID is the
note:

"NOTE: This BID is being retired because information provided by the
vendor reveals that the application is not vulnerable to this issue."

Extrapolating from this sampling of one, I'd bet that RETIRED is
fairly rarely used.

-g

- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Fri, 21 Dec 2007, Terra Frost wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<http://www.securityfocus.com/bid/26885> is an example of a
vulnerability whose status has been changed to RETIRED. My question
is.. what, exactly, does that mean?

My guess is that it means that the vulnerability is bogus. But why,
then, say it's RETIRED and not BOGUS? It's hard to misinterpret BOGUS,
but rather easy to misinterpret RETIRED.

Further, if that is indeed what RETIRED means, why would the above
report, under "Vulnerable", say "WordPress", when, in fact, it isn't?
Maybe, if anything, it should say WordPress and then have a
strikethrough through it?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHbAHOhzLeabOflWcRAnJMAJoCmRiHYnmOLgjywLPn/RQHs4RWOwCdGreH
wIJDT6A+rtFf/KXkg8Icsis=
=Qtls
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFHbAcKLyw7nZwiKgQRAlmYAKD3IWMYKa4ostdxF5dJiAL01I8roACfYVfV
dbauyYdeNbBrNeQCxZwiqw8=
=OAht
-----END PGP SIGNATURE-----