From: Adam Flinton 

Geo. wrote:

> "Robert Comer" 
wrote in message
> news:402cf584$1{at}w3.nls.net...
>
>
>>In the absolute sense you are right, but that's not what we're discussing.
>>
>>It does if you're only discussing OS vulnerabilities. 
>
>
> So does a vuln discovered in a language library count as an OS vuln and an
> app vuln or is it just a lib vuln and not count for anything that includes
> it?
>
> What if I provide a CD (lets call it gOSh) that I market as a web server OS,
> it includes Linux/Apache/Mysql, does a vuln in mysql count as an OS vuln?
>
> If microsoft does the same thing, NT/IIS/SQLserver does an sqlserver bug
> count as an OS vuln then? Ok how about if instead of a web server they have
> a product that includes an optional database based file system, is sqlserver
> now counted as part of the OS?
>
> You guys want to call it an OS vuln, I'm just calling it a product vuln to
> avoid all this nebulous nonsense. If it comes as part of the product and
> requires a patch then that product, whatever you call it, has a vuln, up the
> count by 1.
>
> If you guys can't accept that then I'm going to restrict my definition of NT
> to only what's included in embedded NT and forget all the stuff included in
> other distributions like pro or server since obviously they aren't part of
> the OS.
>
I'm happy with product vulns. Otherwise imagine a hole in OpenOffice, Moz,
Gaim, Eclipse, DB2, Oracle or MySQL etc.etc. All are cross platform a
product level hole would stretch across many OS'es.

Adam

--- BBBS/NT v4.01 Flag-5