oss-sec mailing list archives
Re: CVE's for intersection vulnerabilities
From: "Dolev Farhi" <dolevf () yahoo com>
Date: Sun, 20 Jul 2014 12:48:44 +0300
On Sun, 20 Jul 2014 12:03:00 +0300, Kurt Seifried <kseifried () redhat com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19/07/14 10:09 AM, Dolev Farhi wrote:On Sat, 19 Jul 2014 14:32:50 +0300, intrigeri <intrigeri () boum org> wrote:Hi, Kurt Seifried wrote (19 Jul 2014 00:33:38 GMT) :So long story short: we have a program called sosreport that is used to send system information back to Red Hat so we can help customers troubleshoot their problems. It would appear we have three main classes of (potential) security vulnerabilities:The severity of these potential vulnerabilities may partly depend on how well sosreport authenticates the server it sends information to. Cheers, -- intrigeriJust wanna mention that sosreport is used by many companies other than red hat (e.g. a company may ask for an sosreport from their customers), i know that we use it to get environment data from customers.Well... fiddlesticks. That is outside of my responsibility, and indeed outside of what I'm even aware of (if you use sosreport and do so in an insecure manner please report to oss-security for uhmm.. re-education? Heck of I know what to do/say.). - -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTy4XEAAoJEBYNRVNeJnmTQIgQAJMzCeC49n6KTjC04yKgChb6 pi2lkJZqG1gb4Ze8bNOuagdqLSEdFIS21EYIeOpeLKkQ+wXylSFumN1M0P+kBYh0 n3YVzVqHgJ8DPlhLR7pPOcx2M60HMi12PvYDsqGdHaPdrgj0kknH+9340+4dkEhj lWEeKmzgZtMigOQIFn4cLtG1f55CfTD8odO7HdMu0mXhIUJ7DUDjCXiWVswjHjL4 tyKplqaAHOS0cForSVviUkkEWyRSY/Ylb/JFtr0sM19cUbDlelLwH8NHyuHs4/71 9EMiRQMGNLDOmov0jbjInS2A775SjtnvyUCvgvEyglHR3iWQ4YPQG627+A7HJZky K09TNd0JhB+CufgDuIBCOytNKaPnlEA9wYWShUPB8x/0nWvsvBWB2WeK61bgo9W3 zfuH4SYXOL0CPGt3pCKNpZ5PqoPcRSLgCLqyhsHTZAkAe0dvgY24lP8HWve9h2at aq6UKajnXz7we2IxkjVxZfuxoIwi8SdhjBDMBr+P+sEfdGeKyI37x9iGnSoWD3zX vRgjsYF745Kb5ruCKvhOy5VF9GsA70uX51+YiZVib0661OZAJZfaYWoypTsuyAt4 68zUr2KkIqSzl31Fx8Ak20NqHJRYsnU/j0vdxInLqpvTrodrPuPQyFPW+/U8keFG at2j4IX/ezuZdi5yRQ4e =9hGj -----END PGP SIGNATURE-----
well, of course it is not in your responsibility.but it is red hat responsibility to reduce the chances of it collecting key configuration files containing possible credentials, which is what they appear to do.
-- /df --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
Current thread:
- CVE's for intersection vulnerabilities Kurt Seifried (Jul 18)
- Re: CVE's for intersection vulnerabilities cve-assign (Jul 18)
- Re: CVE's for intersection vulnerabilities intrigeri (Jul 19)
- Re: CVE's for intersection vulnerabilities Dolev Farhi (Jul 19)
- Re: CVE's for intersection vulnerabilities Kurt Seifried (Jul 20)
- Re: CVE's for intersection vulnerabilities Dolev Farhi (Jul 20)
- Re: CVE's for intersection vulnerabilities Dolev Farhi (Jul 19)