[Secure-testing-team] [Secure-testing-commits] r11940 - data/CVE

[Nico Golde]

Hi,
* Michael Gilbert <gilbert-guest at alioth.debian.org> [2009-05-20 17:21]:
> Author: gilbert-guest
> Date: 2009-05-20 15:16:19 +0000 (Wed, 20 May 2009)
> New Revision: 11940
> 
> Modified:
>    data/CVE/list
> Log:
> is disregard the best course of action for weaknesses in security hardening features (e.g. memcached issue)?
> 
> 
> Modified: data/CVE/list
> ===================================================================
> --- data/CVE/list	2009-05-20 15:04:06 UTC (rev 11939)
> +++ data/CVE/list	2009-05-20 15:16:19 UTC (rev 11940)
> @@ -1325,6 +1325,9 @@
>  	[etch] - memcachedb <no-dsa> (Minor issue)
>  	[lenny] - memcachedb <no-dsa> (Minor issue)
>  	[squeeze] - memcachedb <no-dsa> (Minor issue)
> +	NOTE: why are weaknesses in security hardening features like ASLR considered minor?
> +	NOTE: even though this is not directly a vulnerability itself, part of this application's armor is now missing; making it easier for unknown vulnerabilities to be effective.
> +	TODO: reevaluate debian's position on weaknesses in security hardening features

Do you honestly think anyone is starting a discussion with 
you via NOTEs? If you want to discuss things, start a thread 
on the mailing list rather than putting notes in the CVE 
list. Besides that I guess whoever tagged that as a minor 
issue didn't do so because of defeating ASLR with this bug 
but because it's a bad idea to run memcached in untrusted 
environments with the port open to the outside world.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090520/a6286532/attachment.pgp>