[pkg-dhcp-devel] Bug#672232: Bug#672232: Bug#672232: Re isc-dhcp-client: method to ignore settings provided by the server

Michael Gilbert mgilbert at debian.org
Mon Nov 30 00:30:19 UTC 2015 

On Sun, Nov 29, 2015 at 7:07 PM, Christoph Anton Mitterer wrote:
> Left aside, that NTP by itself isn't secured in any way (i.e.
> cryptographically)... people could in principle set up a VPN to a NTP
> server they know they can trust.

Please go write SecureNTP then.

> But even if that isn't done, I don't see how using the debian pool
> helps.
> If the DHCP advertises it's own evil NTP server, than that will be
> used. At least ifupdown does so (network manager interestingly seems to
> ignore that part of DHCP).

Then you shouldn't use the Debian ntp package or any other Debian
package at all for that matter.

> This doesn't mention that it only applies to issues at Debian, or to
> issues that can easily be fixed.
> It also doesn't state that it would apply to code security issues (i.e.
> buffer overruns or so).

Like I said, the security tag is for now removed because I am not
going to deal with it as a security issue until you defend it to your
peers.  I am not interested in looking at it because I am far beyond
my tolerance threshold with your behavior.

It is up to you to change that.

> The only thing negative I can find in my mail is
> "Security-ignorance at it's finest o.O"
> which simply describes that fact that this issue is apparently ignored
> in Debian (based already on the fact that the security-tag is removed).
> It doesn't claim anything about you, whether you're smart, supid,
> friendly, hostile or anything else.

Clearly prior behavior plays a huge role here.

>> Good work, should be excellent justification for your CVE request
>> (with real details of course)!
> AFAIU, people couldn't just directly request CVEs, can they?
> I though that need to happen via a CNA, which Debian, to my knowledge,
> was one.

CNA's only issue ids for non-public issues.  Absolutely anyone can and
should send CVE requests to oss-sec for issues that are already
public.

> Anyway. I wasn't aware that only security issues with a CVE may be
> recorded and marked as such in the Debian BTS.

That is not true.  But like I said, I am not interested in dealing
with your negativity any more, so please make your case to others.

Best wishes,
Mike

More information about the pkg-dhcp-devel mailing list