oss-sec mailing list archives
Re: CVE Request: WebKitGTK+ performs DNS prefetch when a proxy is configured
From: Michael Catanzaro <mcatanzaro () igalia com>
Date: Mon, 08 Jun 2015 17:44:45 -0500
On Mon, 2015-06-08 at 17:34 -0400, cve-assign () mitre org wrote:
We're not sure that this can be considered a vulnerability fix; it seems more like a feature addition. The platformProxyIsEnabledInSystemPreferences "return false" code seems to mean that the the product's development status was that ascertaining a proxy setting was an unimplemented capability, and therefore any proxy-specific DNS behavior was an unimplemented feature.
Yes, but it should have been a "return true" to fail-safe instead.
Admittedly, never making direct DNS queries during proxy use may be the new preferred behavior in this product. However, sometimes people want to make direct DNS queries during proxy use.
I don't think we intend to support this level of configurability.
There could be a CVE ID if a product were specifically trying to detect a proxy setting (in order to avoid direct DNS in that case) but failing because of a coding error. There typically can't be a CVE ID for addition of new code to satisfy a requested behavior change.
OK, no need for a CVE then. Thanks for the good response and the links, Michael
Current thread:
- CVE Request: WebKitGTK+ performs DNS prefetch when a proxy is configured Michael Catanzaro (Jun 08)
- Re: CVE Request: WebKitGTK+ performs DNS prefetch when a proxy is configured cve-assign (Jun 08)
- Re: CVE Request: WebKitGTK+ performs DNS prefetch when a proxy is configured Michael Catanzaro (Jun 08)
- Re: CVE Request: WebKitGTK+ performs DNS prefetch when a proxy is configured cve-assign (Jun 08)