oss-sec mailing list archives
Re: CVE request: unauthorized host/service views displayed in servicegroup view
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Wed, 04 Sep 2013 11:25:21 -0400
[dropping cc's, just leaving oss-security] On 09/03/2013 07:02 PM, Vincent Danen wrote:
I mean, if someone wants to shoot themselves in the foot and document it as a feature, who are we to say otherwise? We may not agree with it, but it's a documented feature (deliberately changed), so we can't just very well call it a security flaw because we don't like the new behaviour.
I'm curious about this. If, say, a modern TLS library some day decides to get around to implementing (old, deprecated, known-insecure, previously-unimplemented) SSLv2, and announces it as a feature, and enables it by default, is the consensus of this group that we would not treat it as worthy of a CVE, despite being a clear security weakening? At what point does the security community override the upstream decisions and declare the packages vulnerable? --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: CVE request: unauthorized host/service views displayed in servicegroup view, (continued)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Jonas Meurer (Aug 03)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Jonas Meurer (Aug 30)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Kurt Seifried (Sep 03)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 03)
- Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
- Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jochen Bern (Sep 04)
- Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Daniel Kahn Gillmor (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view cve-assign (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
- Re: Re: CVE request: unauthorized host/service views displayed in servicegroup view Kurt Seifried (Sep 04)