oss-sec mailing list archives
Re: CVE missing? for "Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution"
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 30 Jul 2013 00:05:04 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/29/2013 01:48 AM, Alexandre Dulaunoy wrote:
Hi All, I couldn't find the CVE number for the following vulnerability/misconfiguration: https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution Is there a CVE assigned for this combo vulnerability in Exim/Dovecot? or as this is a configuration matter there is no CVE assigned (even if this "recommended configuration" was in the wiki of the vendor)? Thanks for any feedback, Cheers
I'm inclined to give this a CVE since it's "official"/"recommended" documentation, and my thought is vendor documentation should be safe, and where it is not safe it should be explicit that there are risks. A great example of this is: http://docs.python.org/2/library/pickle.html In red right at the top: Warning The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source. Does anyone disagree/have strong feelings regarding this? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR91eQAAoJEBYNRVNeJnmTvkUQAMuPqSPQgt6rF6uPgFXj4k18 4nRFLUMkVAQqYU3L37gqW+Kcv7MRI3FSDBOVbg+AiBjEMTox3F75DkAdWVv+kzEg cUEN3blGFRtUbBeeyKO73zgDq9HA5FXDFnQQQB1ARn6f518OsRYiUx6r1ej7FFSt Sc4BuOoRwvDaMhet3RvqaOtzJvtC4S2GBtjD4kKVj/Fa3SeTCY2NEklWfWQ+oYx9 85d19gXmPBoOBm63dNwK0WxuwWzACLO4B1A6e/GX4sBTAXPYelt0WJ7ibs3Gk5sQ aDVE2A/yzDI7NwakMwbNqi7A6LBctZeDy+0ecoR64R4SpF8XKfWgT6npzy5DSgPA OP1u1S+k8XRr4u1DU3kNQNiT9fYqgQUWDwcEjVXi/jW1QQeHqpobHilkTc124c+H 695YvyBELKkSMUbSH3xfBp78k+5YGrE+qj9bt0X5rU98NOVMrAa11S2pvsK3So2t 4OJXsYUNrYUJUjGFJ+B0sE2B3cfZqzsZtNPll2002FNAduJhPHU0xVTbQylFoCF4 cBNyIoKxuzYTrkiIY4sf6bDw1efQtJEbHyGqVdad9Rxo4J7wi1fblT2aRkZpdtC6 xBEHDNxRSHDe+aReG15ze8s+GfXW8Cp3nAjVZ2D+H/jZVyC/ZmBHP6EtehEGDRLn jEH+0cWXsh4hbeaG+kTg =KryW -----END PGP SIGNATURE-----
Current thread:
- CVE missing? for "Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution" Alexandre Dulaunoy (Jul 29)
- Re: CVE missing? for "Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution" Kurt Seifried (Jul 29)