[Secure-testing-team] [Secure-testing-commits] r11940 - data/CVE
Michael S. Gilbert
michael.s.gilbert at gmail.com
Wed May 20 15:49:21 UTC 2009
On Wed, 20 May 2009 17:29:54 +0200, Nico Golde wrote:
> Hi,
> * Michael Gilbert <gilbert-guest at alioth.debian.org> [2009-05-20 17:21]:
> > Author: gilbert-guest
> > Date: 2009-05-20 15:16:19 +0000 (Wed, 20 May 2009)
> > New Revision: 11940
> >
> > Modified:
> > data/CVE/list
> > Log:
> > is disregard the best course of action for weaknesses in security hardening features (e.g. memcached issue)?
> >
> >
> > Modified: data/CVE/list
> > ===================================================================
> > --- data/CVE/list 2009-05-20 15:04:06 UTC (rev 11939)
> > +++ data/CVE/list 2009-05-20 15:16:19 UTC (rev 11940)
> > @@ -1325,6 +1325,9 @@
> > [etch] - memcachedb <no-dsa> (Minor issue)
> > [lenny] - memcachedb <no-dsa> (Minor issue)
> > [squeeze] - memcachedb <no-dsa> (Minor issue)
> > + NOTE: why are weaknesses in security hardening features like ASLR considered minor?
> > + NOTE: even though this is not directly a vulnerability itself, part of this application's armor is now missing; making it easier for unknown vulnerabilities to be effective.
> > + TODO: reevaluate debian's position on weaknesses in security hardening features
>
> Do you honestly think anyone is starting a discussion with
> you via NOTEs? If you want to discuss things, start a thread
> on the mailing list rather than putting notes in the CVE
> list. Besides that I guess whoever tagged that as a minor
> issue didn't do so because of defeating ASLR with this bug
> but because it's a bad idea to run memcached in untrusted
> environments with the port open to the outside world.
ok
More information about the Secure-testing-team
mailing list