[Secure-testing-team] [Secure-testing-commits] r11940 - data/CVE

[Michael S. Gilbert]

Nico Golde wrote:
> Besides that I guess whoever tagged that as a minor 
> issue didn't do so because of defeating ASLR with this bug 
> but because it's a bad idea to run memcached in untrusted 
> environments with the port open to the outside world.

i don't want to get into an argument, but i completely disagree.  the
core of this CVE is the fact that ASLR is bypassed.  and if the tcp
port is open by default (and i don't know if it is because i haven't
checked), then that is how 99.9% of users are going to run it.  of
course most sites will have a firewall to the external world, but you
can't assume that this is the case (in fact, you should always assume
that the user that you are trying to protect is in the worst-case
scenario), and it's possible for an intruder to be inside the firewall
either via another vulnerability on another system, a misconnected
cable, or by physical presence.

i think NOTEs are a somewhat reasonable place to discuss conflicts of
opinion because it is centralized, connected to the issue at hand, and
the people that triage security issues will come across the
discussion/philosophy, have to think about it, and make a decision.
and finally, it's easy enough to change the text once that decision
is made.  

however, if the consensus is that this is bad, then i will stop.

ultimately, perhaps the core problem here is that the security tracker
provides no means to allow dissenting/conflicting opinion. note that
dissenting opinions in US Supreme Court decisions are just as important
as the confirming opinions, and are used as the bases for decisions in
all future cases in US courts.

best regards,
mike