Hello Jan, There are products which are outdated/dead that'll never have solution. That is another condition to consider. There may be workarounds and workarounds could be to uninstall the product in some cases.
If you put a timeline like "....last one year", we need to keep that timeline updated. For NVTs that do not have solution for an year, we can put a general message like this, "No solution or patch is available since the disclosure of this vulnerability." If there is a workaround, "No solution or patch is available since the disclosure of this vulnerability. The workaround is to disable 'config' setting." Thanks. Chandra. Saner Personal A free vulnerability mitigation software. Build strong defense. http://www.secpod.com/saner-personal.html -----Original Message----- From: Openvas-plugins [mailto:[email protected]] On Behalf Of Jan-Oliver Wagner Sent: Wednesday, December 11, 2013 12:18 PM To: [email protected] Subject: [Openvas-plugins] Handling the "no solution" problem Hello, currently we have a situation where many NVTs have a tag_solution with a text like this: "No solution or patch is available as of 06th December, 2013. Information regarding this issue will update once the solution details are available." It seems that for many products, like wingate (CVE-2008-3606, scripts/2008/secpod_wingate_imap_dos_vuln_900201.nasl) no solution was provided for a long time and very like will not ever. I propose for such cases to replace the above text by something like "No solution or patch was made available for at least one year. Likely none will be provided at all other than an upgrade to a newer release." Better phrases for the core message are welcome. Also: Is 1 year a appropriate duration until we can conclude there will be no solution anymore? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-plugins mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins ----- No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.3426 / Virus Database: 3658/6895 - Release Date: 12/05/13 _______________________________________________ Openvas-plugins mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
