oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere

From: David King <amigadave () amigadave com>
Date: Wed, 16 Mar 2011 12:02:28 +0100
On 2011-03-16 10:47, David Woodhouse <dwmw2 () infradead org> wrote:

On Tue, 2011-03-15 at 17:10 -0400, Josh Bressers wrote:


Issue #2

Vino can open ports via uPnP without alerting the user.
https://bugzilla.redhat.com/show_bug.cgi?id=678846

Use CVE-2011-1165


[snip]


There *is* an option to disable this feature, if the user really wants
to. And of course it should be clearly indicated that the service is
available to the public; but *that* is what CVE-2011-1164 is for.
It should be noted that the UPnP feature is disabled by default, so the user has the option to *enable* it. I concede that the string presented in the UI needs improvement. Of course, I agree that indication of the consequences would be appropriate, and also disallowing the 'none' authentication method if UPnP is enabled. 

--
http://amigadave.com/
Previous By Date Next
Previous By Thread Next

Current thread: