oss-sec mailing list archives

Re: CVE request: unauthorized host/service views displayed in servicegroup view

From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Wed, 04 Sep 2013 11:25:21 -0400

[dropping cc's, just leaving oss-security]

On 09/03/2013 07:02 PM, Vincent Danen wrote:

I mean, if someone wants to shoot themselves in the foot and document it
as a feature, who are we to say otherwise?  We may not agree with it,
but it's a documented feature (deliberately changed), so we can't just
very well call it a security flaw because we don't like the new
behaviour.


I'm curious about this.  If, say, a modern TLS library some day decides
to get around to implementing (old, deprecated, known-insecure,
previously-unimplemented) SSLv2, and announces it as a feature, and
enables it by default, is the consensus of this group that we would not
treat it as worthy of a CVE, despite being a clear security weakening?

At what point does the security community override the upstream
decisions and declare the packages vulnerable?

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Re: CVE request: unauthorized host/service views displayed in servicegroup view, (continued)
- - - Re: CVE request: unauthorized host/service views displayed in servicegroup view Jonas Meurer (Aug 03)
    - Re: CVE request: unauthorized host/service views displayed in servicegroup view Jonas Meurer (Aug 30)
    - Re: CVE request: unauthorized host/service views displayed in servicegroup view Kurt Seifried (Sep 03)
    - Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 03)
    - Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
    - Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
    - Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jochen Bern (Sep 04)
    - Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
    - Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
    - Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
    - Re: CVE request: unauthorized host/service views displayed in servicegroup view Daniel Kahn Gillmor (Sep 04)
    - Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
    - Re: CVE request: unauthorized host/service views displayed in servicegroup view cve-assign (Sep 04)
    - Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
    - Re: Re: CVE request: unauthorized host/service views displayed in servicegroup view Kurt Seifried (Sep 04)