oss-sec mailing list archives
Re: Re: Varnish - no CVE == bug regression
From: "Poul-Henning Kamp" <phk () phk freebsd dk>
Date: Wed, 09 Jul 2014 07:15:17 +0000
In message <CACYkhxgmsOG7H3FKhjvDQTfg_WptW1bv19q2CrcPLFTsdL+GiQ () mail gmail com>, Michael Samuel w rites:
A CVE assignment will trigger out-of-band patches for distros that might not do so otherwise. Surely you agree that this is desirable?
No, I do not. If DNS is spoofed, then DNS is spoofed and anything which uses DNS is vulnerable, but it is not a security vulnerability in every single piece of software that might conceiveably use DNS lookups, it is a vulnerability in DNS which we have known about since DNS came about. If the so-called "security industry" wants to be taken seriously, it has to stop this kind of nonsense. It seems that the primary thing a CVE assignment will cause is for somebody to make another notch in his bedpost. I also have no idea what "out-of-band patches", nor for that matter which "distros" you are talking about here. Do you ? If so I'd like to hear about them, because as I said as the very first thing: We fix bugs in Varnish, and I'd like to receive a copy of those patches. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk () FreeBSD ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Current thread:
- Re: Varnish - no CVE == bug regression, (continued)
- Re: Varnish - no CVE == bug regression Stefan Bühler (Jul 03)
- Re: Varnish - no CVE == bug regression Kurt Seifried (Jul 03)
- Re: Varnish - no CVE == bug regression Seth Arnold (Jul 03)
- Re: Varnish - no CVE == bug regression Sven Kieske (Jul 04)
- Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 05)
- Re: Varnish - no CVE == bug regression cve-assign (Jul 08)
- Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 08)
- Re: Re: Varnish - no CVE == bug regression Michael Samuel (Jul 08)
- Re: Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 08)
- Re: Re: Varnish - no CVE == bug regression Michael Samuel (Jul 08)
- Re: Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 09)