oss-sec mailing list archives

Re: CVE Request -- logrotate -- nine issues

From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Fri, 4 Mar 2011 12:05:02 -0500 (EST)

If there's a common usage scenario that doesn't stem from blatantadministrator negligence, then a CVE is probably still appropriate.("blatant admin negligence" might be, say, if an admin arbitrarily makes ascript setuid, or modifies the perms for an executable or config file tobe world-writable.)

We will sometimes write the CVE description more as an "adminisratorpractice" than as "fault of the software."

For example, default passwords are fair game; arguably, if the admindidn't read page 24 of the documentation that said "change the defaultpassword," this is more the admin's fault than the software's fault... BUTthe issue has to be dealt with, either way, so a CVE becomes a "signal"for that action to take place, whether it came from the software or fromthe user.

Not everything is that clean and straightforward of course, but that's thegeneral thinking.


- Steve

Current thread:

CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
  - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steven M. Christey (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steven M. Christey (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Dan Rosenberg (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steve Grubb (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Josh Bressers (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 06)
  - Re: CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)

(Thread continues...)