oss-sec mailing list archives

Re: Re: browser document.cookie DoS vulnerability

From: Murray McAllister <mmcallis () redhat com>
Date: Mon, 14 Oct 2013 18:06:16 +1100

On 10/12/2013 03:32 PM, Kurt Seifried wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2013 11:34 AM, Joel Weinberger wrote:

Hi there. Yes, we do CVEs, but in this case, we consider this very
low severity and will not be creating a CVE for it. Sorry for the
delayed response for it! --Joel


So to confirm you are saying this is NOT a security issue in any way
shape or form? I find this odd because DoS's in web browsers are often
considered CVE worthy. Is there something in this issue that prevent
exploitation/etc? If not then it deserves a CVE even if it is a "low"
issue.

- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

I don't think web browser dos's are suppose to be CVE worthy. Our (RedHat) advisories for Firefox and Thunderbird mention "crash...", but theyprobably should not (my fault, sorry ;)).


Adding Huzaifa to Cc.

--
Murray McAllister / Red Hat Security Response Team

Current thread:

Re: Re: browser document.cookie DoS vulnerability Kurt Seifried (Oct 10)
- Re: Re: browser document.cookie DoS vulnerability aaron guzman (Oct 11)
- Re: Re: browser document.cookie DoS vulnerability Joel Weinberger (Oct 11)
  - Re: Re: browser document.cookie DoS vulnerability Kurt Seifried (Oct 11)
    - Re: Re: browser document.cookie DoS vulnerability Murray McAllister (Oct 14)
    - Re: browser document.cookie DoS vulnerability cve-assign (Oct 15)
  - Re: Re: browser document.cookie DoS vulnerability Kurt Seifried (Oct 15)
    - Re: browser document.cookie DoS vulnerability cve-assign (Oct 16)
    - Re: browser document.cookie DoS vulnerability cve-assign (Oct 17)
    - Re: browser document.cookie DoS vulnerability Mozilla Security (Oct 17)