oss-sec mailing list archives
Re: Thoughts on a vuln/CVE?
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 18 Jun 2013 10:53:03 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/18/2013 10:41 AM, Moritz Muehlenhoff wrote:
On Tue, Jun 18, 2013 at 12:44:09AM -0600, Kurt Seifried wrote:Also part of my thought process is that (for example) this would be a good configuration to check for and ensure is disabled, something for SCAP for example or the Debian security guide (e.g. a generic "make sure all enabled repos are actually working as expected").Debian doesn't endorse any external repository. During package installation the pre/post installation scripts run with root privs. As such, if you enable a repository you trust the people behind that repository with the equivalent to root access to your system anyway. Cheers, Moritz
I care a lot less about what is "officially endorsed" or not endorsed and a lot more with what is actually going on. If a large percentage of people are exposed to a vuln, even if they "shouldn't" be then it would still get a CVE. I see a lot of CVEs that should never be exploitable, but people do crazy things/configurations. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRwJBvAAoJEBYNRVNeJnmTi4QQALcY/VXafOZGoFiLyc5rVKY/ TCZ76gGyCWhQjDtHNcVlSOV8GVfhWp2GD2vk+ZkI6BxoMQoaAen9REsFjAxU9vAR NXRyX05AncoaSItccukYqWXYirIbxlnHWuJ6GWkOPBaqFAbYmmc8qdh8rO6h+0qo +/xegig11jf3MQnC4ZyqsntGOZRevI9YtKJ557FLfKz/uqn2R+deNmb0nqcHrP0U v8kGDVFqc2Zx+yyrp+XcdNXaEUT9XwTtclNP7d8zxuDNH5E+0OTPFn5BbJ51kcxT PP+0Gn0pfbuIm7cYIPqfvRwIFjZlPZe0mJ2rfaFsrdDlmYS2uoQVTRqon2EV6eco NSSgi9FTA2pXrEbHjyakcizlnA1FCbrpkHSkBFZyL5zu3rb4o8eOA3pCtJDjYbf8 +1JSQiKzDL5rCrtOSoEnnmR9lqlCzdx1+zklGbasZjTC91OdOtYJO1Tu3K09U+Ij lcsXElnLTes00ac6XX02KQKFDX9egyvt1u2UD0/QClC/nJHp9pRhT58amEDUIS+e RqmFrA+6BFD6jIqoZJcxz5JvY/ebrk04AkligIKN3MwzbOuMHh4C7dtP41yqSAsz /6uuPCqY1NjHvRrbMkzpkfGabrS1r5xDXttVNw69vGSqjp5b6jE1OBFPMS/HSK6l NgXwAOsf5dkLyCvgueXm =2e/6 -----END PGP SIGNATURE-----
Current thread:
- Thoughts on a vuln/CVE? Kurt Seifried (Jun 17)
- Re: Thoughts on a vuln/CVE? Yves-Alexis Perez (Jun 17)
- Re: Thoughts on a vuln/CVE? Russ Allbery (Jun 17)
- Re: Thoughts on a vuln/CVE? Moritz Muehlenhoff (Jun 17)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 17)
- Re: Thoughts on a vuln/CVE? Florian Weimer (Jun 18)
- Re: Thoughts on a vuln/CVE? Simon McVittie (Jun 18)
- Re: Thoughts on a vuln/CVE? Dave Walker (Jun 18)
- Re: Thoughts on a vuln/CVE? Tim (Jun 18)
- Re: Thoughts on a vuln/CVE? Moritz Muehlenhoff (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 18)
- Re: Thoughts on a vuln/CVE? Florian Weimer (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 17)