oss-sec mailing list archives
Re: Re: CVE request: unauthorized host/service views displayed in servicegroup view
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 04 Sep 2013 19:39:18 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/04/2013 07:19 PM, Vincent Danen wrote:
That somewhat proves my point. =). In both cases you're talking about intended security being violated or a security-relevant mistake. I don't see how relaxing ACLs intentionally, but still protected via authentication, meet either criteria. -- Vincent Danen / Red Hat Security Response Team On 2013-09-04, at 5:08 PM, cve-assign () mitre org wrote:I think the first question is what constitutes a security flaw -- once that is defined, then I think what upstream does is irrelevant. If it's a flaw, it's a flaw.CVE assignment by MITRE doesn't look at flaws in quite that way. If a vendor has developed and released software and then sends us a report that the software had a security-relevant mistake, or violated that vendor's intended security policy, that's usually enough for a CVE. Reports from third parties are viewed much more restrictively.
A good example of this is in action: http://docs.python.org/2/library/pickle.html no CVE (big warning, safe alternatives, etc.) http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=deserialization http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=deserializing lots of CVEs - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSJ+DGAAoJEBYNRVNeJnmT298P/RpuSqL5uHdQhfbsrJQZS+oo Ofar+PtSQzRfAvMqEFbBVA4EcSSiBPyqr6aY9jdboCo9QqWqwRZ/7mZY+WWY0otH hSqW/Z7mviZHAbbmvSELkoFTU5Qvjqb6tnH+raqVV/XDcsx3iITYVLp4mL6XjcGE SmvCA3fRTDN0LfYwrm04b39xIwWdRtvoKKMlQjgkn3Ea0s5EaxV7ktlwinEHDJvp Vk8lwo3R+XGPZ1LaQC69HCG1jff1+0KLeJoXjo0Qz7XzYolEsnFEHeMIufkyFI5+ k/Sk1EWgZm4sQrUgMxAIu+ILFJ5Z8WnquwFOh2AA49zPA0XAqed1ED23mB3dzBBm ZyANQtmdy/r4NKsrVK2/CceGm3LkfCKkxzyzYovhNrgUQIC1o5+f80+AuQz1DB5I ZJGq2A9k4chisc6HNLIQpwprvYaS9Z9jWWLNoN8whFcJagV9SDq4Izw14hRIQx77 A56ASqh6jIphtK/srLo4wlGBXIiHilSTrbPjSCaQF00qEJHHt5ARqG88x9ZVL3hP V4QPJ7Qrm+35L+Eq2P3jfZDIrizksOlDNMFOcj1TA+e8no17GkQaC7v7wPAWGYwl xkwkVuFNSnO5GoLKCgA+Tg7aEYND9pMQqL2uTSSfvrh789PCOJlUprQu9Cvjl2jh OG24Ti4uoEiSPiaU8kYF =H5qh -----END PGP SIGNATURE-----
Current thread:
- Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view), (continued)
- Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
- Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jochen Bern (Sep 04)
- Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Daniel Kahn Gillmor (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view cve-assign (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
- Re: Re: CVE request: unauthorized host/service views displayed in servicegroup view Kurt Seifried (Sep 04)