oss-sec mailing list archives
Re: Thoughts on a vuln/CVE?
From: Moritz Muehlenhoff <jmm () inutil org>
Date: Tue, 18 Jun 2013 08:24:12 +0200
On Tue, Jun 18, 2013 at 12:04:30AM -0600, Kurt Seifried wrote:
http://bits.debian.org/2013/06/remove-debian-multimedia.html
[..]
We have software with a now insecure configuration as it points to a site that may or may not be under attacker control. It seems to me like this might be a candidate for a CVE. Thoughts and comments for and against are welcome (I'm on the fence myself).
No way. This is not an insecure configuration: This was never a Debian
service and people are free to put whatever they want in /etc/apt/sources.list.
There are hundreds of external apt sources and everyone of them could have
their owner changed at some point.
Also there's no security issue: If a domain is grabbed and someone configures
an apt repository on the site, he/she would lack the repository key previously
used to sign the repo.
Cheers,
Moritz
Current thread:
- Thoughts on a vuln/CVE? Kurt Seifried (Jun 17)
- Re: Thoughts on a vuln/CVE? Yves-Alexis Perez (Jun 17)
- Re: Thoughts on a vuln/CVE? Russ Allbery (Jun 17)
- Re: Thoughts on a vuln/CVE? Moritz Muehlenhoff (Jun 17)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 17)
- Re: Thoughts on a vuln/CVE? Florian Weimer (Jun 18)
- Re: Thoughts on a vuln/CVE? Simon McVittie (Jun 18)
- Re: Thoughts on a vuln/CVE? Dave Walker (Jun 18)
- Re: Thoughts on a vuln/CVE? Tim (Jun 18)
- Re: Thoughts on a vuln/CVE? Moritz Muehlenhoff (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 18)
- Re: Thoughts on a vuln/CVE? Florian Weimer (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 17)