oss-sec mailing list archives

Re: Re: Question about world readable config files and commented warnings

From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 30 Jun 2015 11:04:04 -0700

On Tue, Jun 30, 2015 at 10:32:56AM -0600, Kurt Seifried wrote:

Ok, so does a situation where the author creates the config file with
that warning, and then a vendor repackages and ships it, still world
readable, still with the warning, warrant a CVE?


Did the vendor also fill in a password? If so, that's worth a CVE to me.
If not, then it's still on the end user to decide if the hypothetical
database needs a password, and if so, if the configuration file needs to
be closed down to protect the password.

Thanks

Attachment: signature.asc
Description: Digital signature

Current thread:

Question about world readable config files and commented warnings Kurt Seifried (Jun 29)
- Re: Question about world readable config files and commented warnings gremlin (Jun 29)
  - Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
    - Re: Question about world readable config files and commented warnings vladz (Jun 30)
    - Re: Question about world readable config files and commented warnings Seth Arnold (Jun 30)
- Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
  - Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
    - Re: Re: Question about world readable config files and commented warnings Seth Arnold (Jun 30)
    - Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
    - Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
    - Re: Question about world readable config files and commented warnings cve-assign (Jun 30)