oss-sec mailing list archives
Re: CVE request: unauthorized host/service views displayed in servicegroup view
From: Vincent Danen <vdanen () redhat com>
Date: Wed, 4 Sep 2013 21:19:19 -0400 (EDT)
That somewhat proves my point. =). In both cases you're talking about intended security being violated or a security-relevant mistake. I don't see how relaxing ACLs intentionally, but still protected via authentication, meet either criteria. -- Vincent Danen / Red Hat Security Response Team On 2013-09-04, at 5:08 PM, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1I think the first question is what constitutes a security flaw -- once that is defined, then I think what upstream does is irrelevant. If it's a flaw, it's a flaw.CVE assignment by MITRE doesn't look at flaws in quite that way. If a vendor has developed and released software and then sends us a report that the software had a security-relevant mistake, or violated that vendor's intended security policy, that's usually enough for a CVE. Reports from third parties are viewed much more restrictively. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSJ7raAAoJEGvefgSNfHMdG6IH/RaOwVRMz+RWNEbF/ofeAWKV mVCfX+dzdvgsl3vr8r2aDL+K7hHV7RMwUial7ioyOCruTvtvBTRfssXcJrcLzLSF zejR2luTtNNzFIVbjc134gDOis9/Xr2dPwheP0RNHBFRI655tnCWt+gIisPhJujz E/FfW67K7up0/c+dDuzgdHfO1n+PG0Us3SdAnQwKGS181agM4flsWL64XXaITFs4 0Xx8l6UPN6G7ybMikJlsUbiLQZ70au6W0eEqTCvuLILbx0oEFRK47cLxGJSn190N lOIh5F1YwVPeZivXjEc0kdFxY+pypc8v1AxXHzQnzwap+wtxsshmgyadqiiiXD8= =5ycL -----END PGP SIGNATURE-----
Current thread:
- Re: CVE request: unauthorized host/service views displayed in servicegroup view, (continued)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 03)
- Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
- Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jochen Bern (Sep 04)
- Re: [Nagios-devel] [oss-security] Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Andreas Ericsson (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view) Jonas Meurer (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Daniel Kahn Gillmor (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view cve-assign (Sep 04)
- Re: CVE request: unauthorized host/service views displayed in servicegroup view Vincent Danen (Sep 04)
- Re: Re: CVE request: unauthorized host/service views displayed in servicegroup view Kurt Seifried (Sep 04)