Re: Thoughts on a vuln/CVE?

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/19/2013 12:17 AM, Florian Weimer wrote:
> * Kurt Seifried:
>
> > I care a lot less about what is "officially endorsed" or not
> > endorsed and a lot more with what is actually going on. If a
> > large percentage of people are exposed to a vuln, even if they
> > "shouldn't" be then it would still get a CVE. I see a lot of CVEs
> > that should never be exploitable, but people do crazy
> > things/configurations.
>
> But the present situation is really not that clear-cut.  We have
> no indicator of malicious intent from the current domain owner, and
> users would still have to disable signature checking *and* they
> must have configured the problematic repository.  That's a little
> bit far-fetched.

Right. I'm talking about more than just this instance. Wordpress
plugins. rubygems.org. etc. Any ways I've been thinking about it and
will post a longer email later.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRwU3/AAoJEBYNRVNeJnmTuHUP/2otfOAwAccFN9CWIJIA5SvV
69lCbIdNlClftuZe6Cxux8Ggguw8iN4avF4ni20CvfGmhKfdBsUkXxqRNXNwBDJi
H8Jin+Dq9jFElOkrCcJPON8kwfPL39b+g4A/U3FYTpj9MKrzDP8JtLZ0aV0yCqca
jpHpAStwcfODpy/sCWS+cLdZgLGS7YZ1dbiPT4PshooFwv+oD6Ma0jLIqaGIEZ3u
9Yo5zPziaydWfCha7QTN4gBgkykXr/srCwXjTCyE54BjB+zi6ojSdZkRLh+Kq9EQ
4iLQgJPMPudnXZ5aGdQGQV50Ya96cLwkQRqpJfJUDlAzJu04rpm9tYql//WOUJGb
/7WpdRb0Xfc5VAdqyDPRPUmykE2wkJ1ziomXWqklupkrDe/O3v4ivTEsjHnA42PA
CU9tzFJ3//OWm5aN8rY4sv2MUC8AXNvTp4IepjyE0CDZjaR1oinhhS0F294j6hxp
tkyt5x+5J1mhYSPBubgSWGrobXugMhNd/wThid/54Hc+pAcCYtibxXXyRafvSu+G
NhXohHMiJh47l4EVy8a4zlIPuazRrbmPb6nfN6CrpZ9wXof4iYH6tuSLMYdCBwtk
CcJmjVFA4BoveWD2iuMRGUBLQgtA79+9GzL5oNjV0Z1O8mYZ7r/Xi7baxHZnP5iJ
KKpsYJyUDjCBh/gxan32
=11ul
-----END PGP SIGNATURE-----