oss-sec mailing list archives
Re: Thoughts on a vuln/CVE?
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 19 Jun 2013 00:21:51 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/19/2013 12:17 AM, Florian Weimer wrote:
* Kurt Seifried:I care a lot less about what is "officially endorsed" or not endorsed and a lot more with what is actually going on. If a large percentage of people are exposed to a vuln, even if they "shouldn't" be then it would still get a CVE. I see a lot of CVEs that should never be exploitable, but people do crazy things/configurations.But the present situation is really not that clear-cut. We have no indicator of malicious intent from the current domain owner, and users would still have to disable signature checking *and* they must have configured the problematic repository. That's a little bit far-fetched.
Right. I'm talking about more than just this instance. Wordpress plugins. rubygems.org. etc. Any ways I've been thinking about it and will post a longer email later. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRwU3/AAoJEBYNRVNeJnmTuHUP/2otfOAwAccFN9CWIJIA5SvV 69lCbIdNlClftuZe6Cxux8Ggguw8iN4avF4ni20CvfGmhKfdBsUkXxqRNXNwBDJi H8Jin+Dq9jFElOkrCcJPON8kwfPL39b+g4A/U3FYTpj9MKrzDP8JtLZ0aV0yCqca jpHpAStwcfODpy/sCWS+cLdZgLGS7YZ1dbiPT4PshooFwv+oD6Ma0jLIqaGIEZ3u 9Yo5zPziaydWfCha7QTN4gBgkykXr/srCwXjTCyE54BjB+zi6ojSdZkRLh+Kq9EQ 4iLQgJPMPudnXZ5aGdQGQV50Ya96cLwkQRqpJfJUDlAzJu04rpm9tYql//WOUJGb /7WpdRb0Xfc5VAdqyDPRPUmykE2wkJ1ziomXWqklupkrDe/O3v4ivTEsjHnA42PA CU9tzFJ3//OWm5aN8rY4sv2MUC8AXNvTp4IepjyE0CDZjaR1oinhhS0F294j6hxp tkyt5x+5J1mhYSPBubgSWGrobXugMhNd/wThid/54Hc+pAcCYtibxXXyRafvSu+G NhXohHMiJh47l4EVy8a4zlIPuazRrbmPb6nfN6CrpZ9wXof4iYH6tuSLMYdCBwtk CcJmjVFA4BoveWD2iuMRGUBLQgtA79+9GzL5oNjV0Z1O8mYZ7r/Xi7baxHZnP5iJ KKpsYJyUDjCBh/gxan32 =11ul -----END PGP SIGNATURE-----
Current thread:
- Re: Thoughts on a vuln/CVE?, (continued)
- Re: Thoughts on a vuln/CVE? Russ Allbery (Jun 17)
- Re: Thoughts on a vuln/CVE? Moritz Muehlenhoff (Jun 17)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 17)
- Re: Thoughts on a vuln/CVE? Florian Weimer (Jun 18)
- Re: Thoughts on a vuln/CVE? Simon McVittie (Jun 18)
- Re: Thoughts on a vuln/CVE? Dave Walker (Jun 18)
- Re: Thoughts on a vuln/CVE? Tim (Jun 18)
- Re: Thoughts on a vuln/CVE? Moritz Muehlenhoff (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 18)
- Re: Thoughts on a vuln/CVE? Florian Weimer (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 17)