oss-sec mailing list archives

Re: CVE missing? for "Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution"

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 30 Jul 2013 00:05:04 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/29/2013 01:48 AM, Alexandre Dulaunoy wrote:

Hi All,

I couldn't find the CVE number for the following
vulnerability/misconfiguration:

https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution

 Is there a CVE assigned for this combo vulnerability in
Exim/Dovecot? or as this is a configuration matter there is no CVE
assigned (even if this "recommended configuration" was in the wiki
of the vendor)?

Thanks for any feedback,

Cheers


I'm inclined to give this a CVE since it's "official"/"recommended"
documentation, and my thought is vendor documentation should be safe,
and where it is not safe it should be explicit that there are risks. A
great example of this is:

http://docs.python.org/2/library/pickle.html

In red right at the top:

Warning The pickle module is not intended to be secure against
erroneous or maliciously constructed data. Never unpickle data
received from an untrusted or unauthenticated source.

Does anyone disagree/have strong feelings regarding this?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR91eQAAoJEBYNRVNeJnmTvkUQAMuPqSPQgt6rF6uPgFXj4k18
4nRFLUMkVAQqYU3L37gqW+Kcv7MRI3FSDBOVbg+AiBjEMTox3F75DkAdWVv+kzEg
cUEN3blGFRtUbBeeyKO73zgDq9HA5FXDFnQQQB1ARn6f518OsRYiUx6r1ej7FFSt
Sc4BuOoRwvDaMhet3RvqaOtzJvtC4S2GBtjD4kKVj/Fa3SeTCY2NEklWfWQ+oYx9
85d19gXmPBoOBm63dNwK0WxuwWzACLO4B1A6e/GX4sBTAXPYelt0WJ7ibs3Gk5sQ
aDVE2A/yzDI7NwakMwbNqi7A6LBctZeDy+0ecoR64R4SpF8XKfWgT6npzy5DSgPA
OP1u1S+k8XRr4u1DU3kNQNiT9fYqgQUWDwcEjVXi/jW1QQeHqpobHilkTc124c+H
695YvyBELKkSMUbSH3xfBp78k+5YGrE+qj9bt0X5rU98NOVMrAa11S2pvsK3So2t
4OJXsYUNrYUJUjGFJ+B0sE2B3cfZqzsZtNPll2002FNAduJhPHU0xVTbQylFoCF4
cBNyIoKxuzYTrkiIY4sf6bDw1efQtJEbHyGqVdad9Rxo4J7wi1fblT2aRkZpdtC6
xBEHDNxRSHDe+aReG15ze8s+GfXW8Cp3nAjVZ2D+H/jZVyC/ZmBHP6EtehEGDRLn
jEH+0cWXsh4hbeaG+kTg
=KryW
-----END PGP SIGNATURE-----

Current thread:

CVE missing? for "Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution" Alexandre Dulaunoy (Jul 29)
- Re: CVE missing? for "Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution" Kurt Seifried (Jul 29)