oss-sec mailing list archives
Re: CVE request: unauthorized host/service views displayed in servicegroup view
From: Vincent Danen <vdanen () redhat com>
Date: Wed, 4 Sep 2013 15:50:01 -0600
* [2013-09-04 11:25:21 -0400] Daniel Kahn Gillmor wrote:
[dropping cc's, just leaving oss-security] On 09/03/2013 07:02 PM, Vincent Danen wrote:I mean, if someone wants to shoot themselves in the foot and document it as a feature, who are we to say otherwise? We may not agree with it, but it's a documented feature (deliberately changed), so we can't just very well call it a security flaw because we don't like the new behaviour.I'm curious about this. If, say, a modern TLS library some day decides to get around to implementing (old, deprecated, known-insecure, previously-unimplemented) SSLv2, and announces it as a feature, and enables it by default, is the consensus of this group that we would not treat it as worthy of a CVE, despite being a clear security weakening? At what point does the security community override the upstream decisions and declare the packages vulnerable?
That's a good question. For your example, I'd say that's a bad thing... we all know SSLv2 is insecure and we would consider the developer to be a little "special" in the head, I think. =) This is a bit different though. The users are authenticated -- it's not unauthenticated exposure. How granular the access controls _within_ that application are largely depend on the developer. It might be different if they decided to chuck the whole authentication basis and decided that information in Nagios should be public. But, even then, that is a definite design decision -- is it still a security flaw? Arguably, Google searches often reveal sensitive information -- does that mean Google searches require a CVE? Or is that up to the end user to decide "this has too much risk" or "I disagree with the design decision here and will suit something better to my use-case"? So while I think you have a valid question, I think the first question is what constitutes a security flaw -- once that is defined, then I think what upstream does is irrelevant. If it's a flaw, it's a flaw. And obviously upstream's point of view is sometime questionable -- it's like the Linux kernel folks deciding there are no security bugs, only _bugs_ (with no distinction). That never went over very well. =) --Vincent Danen / Red Hat Security Response Team
Current thread:
- Re: CVE request: unauthorized host/service views displayed in servicegroup view, (continued)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Jonas Meurer (Aug 30)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Kurt Seifried (Sep 03)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 03)
- Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
- Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jochen Bern (Sep 04)
- Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Daniel Kahn Gillmor (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view cve-assign (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
- Re: Re: CVE request: unauthorized host/service views displayed in servicegroup view Kurt Seifried (Sep 04)