Re: CVE's for intersection vulnerabilities

["Dolev Farhi" <dolevf () yahoo com>]

On Sun, 20 Jul 2014 12:03:00 +0300, Kurt Seifried <kseifried () redhat com>  
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 19/07/14 10:09 AM, Dolev Farhi wrote:
> > On Sat, 19 Jul 2014 14:32:50 +0300, intrigeri <intrigeri () boum org>
> > wrote:
> >
> > > Hi,
> > >
> > > Kurt Seifried wrote (19 Jul 2014 00:33:38 GMT) :
> > > > So long story short: we have a program called sosreport that is
> > > > used to send system information back to Red Hat so we can help
> > > > customers troubleshoot their problems. It would appear we have
> > > > three main classes of (potential) security vulnerabilities:
> > >
> > > The severity of these potential vulnerabilities may partly depend
> > > on how well sosreport authenticates the server it sends
> > > information to.
> > >
> > > Cheers, -- intrigeri
> >
> >
> > Just wanna mention that sosreport is used by many companies other
> > than red hat (e.g. a company may ask for an sosreport from their
> > customers), i know that we use it to get environment data from
> > customers.
>
> Well... fiddlesticks.
>
> That is outside of my responsibility, and indeed outside of what I'm
> even aware of (if you use sosreport and do so in an insecure manner
> please report to oss-security for uhmm.. re-education? Heck of I know
> what to do/say.).
>
> - --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJTy4XEAAoJEBYNRVNeJnmTQIgQAJMzCeC49n6KTjC04yKgChb6
> pi2lkJZqG1gb4Ze8bNOuagdqLSEdFIS21EYIeOpeLKkQ+wXylSFumN1M0P+kBYh0
> n3YVzVqHgJ8DPlhLR7pPOcx2M60HMi12PvYDsqGdHaPdrgj0kknH+9340+4dkEhj
> lWEeKmzgZtMigOQIFn4cLtG1f55CfTD8odO7HdMu0mXhIUJ7DUDjCXiWVswjHjL4
> tyKplqaAHOS0cForSVviUkkEWyRSY/Ylb/JFtr0sM19cUbDlelLwH8NHyuHs4/71
> 9EMiRQMGNLDOmov0jbjInS2A775SjtnvyUCvgvEyglHR3iWQ4YPQG627+A7HJZky
> K09TNd0JhB+CufgDuIBCOytNKaPnlEA9wYWShUPB8x/0nWvsvBWB2WeK61bgo9W3
> zfuH4SYXOL0CPGt3pCKNpZ5PqoPcRSLgCLqyhsHTZAkAe0dvgY24lP8HWve9h2at
> aq6UKajnXz7we2IxkjVxZfuxoIwi8SdhjBDMBr+P+sEfdGeKyI37x9iGnSoWD3zX
> vRgjsYF745Kb5ruCKvhOy5VF9GsA70uX51+YiZVib0661OZAJZfaYWoypTsuyAt4
> 68zUr2KkIqSzl31Fx8Ak20NqHJRYsnU/j0vdxInLqpvTrodrPuPQyFPW+/U8keFG
> at2j4IX/ezuZdi5yRQ4e
> =9hGj
> -----END PGP SIGNATURE-----

well, of course it is not in your responsibility.

but it is red hat responsibility to reduce the chances of it collecting  
key configuration files containing possible credentials, which is what  
they appear to do.



--

/df

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com