[Secure-testing-team] [Secure-testing-commits] r14905 - data/CVE
Nico Golde
debian-secure-testing+ml at ngolde.de
Mon Jul 5 22:34:50 UTC 2010
Hi,
* Giuseppe Iuculano <giuseppe at iuculano.it> [2010-07-05 23:30]:
> On 07/05/2010 07:37 PM, Nico Golde wrote:
> > Every serious security researcher/enthusiast should question himself if a note
> > such as "poc doesn't work" is acceptable. Imho it's not, it's a PoC, nothing
> > more. If a PoC doesn't work that doesn't mean there is no vulnerability. Such
> > notes are also not acceptable for the security tracker. If it can't work
> > because of something else or there is more reasoning behind that, please note
> > it and be verbose.
>
> In this specific case this CVE seems to me a little weird. There is only
> a PoC that doesn't work in any browser (chromium included).
Yes, I'm aware of it. Maybe bringing this up again at mitre will get it
rejected, even though the design issue still exists :/
> So if you mean that we should track all browser vulnerable to
> ClickJacking, I think this is a little insane, practically all browser
> are vulnerable.
Yes, I have to say I just took this special case as en example without going
into the details of this issue. I still would prefer a more verbose
description in general if possible than this especially because it makes it
way easier for people to understand the rationale behind the note when
checking our security tracker without completely assembling all
vulnerability details on their own.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20100706/0d81bc00/attachment.pgp>
More information about the Secure-testing-team
mailing list