[Secure-testing-team] Debian bug #500295 / TEMP-0500295-A176F7
Michael Gilbert
mgilbert at debian.org
Thu Jan 10 03:02:38 UTC 2013
On Sat, Dec 29, 2012 at 5:22 PM, Henri Salo wrote:
> Hello list,
>
> I wonder if we should remove security-tag from issue #500295? It is
> tracked as TEMP-0500295-A176F7, but I do not think that this is
> security vulnerability. It should also be removed from CVE/list as it
> won't get CVE identifier. I do not see any practical attack vectors for
> this issue. Security tracker data at the moment:
>
> CVE-2008-XXXX [possible script injection via /etc/wordpress/wp-config.php]
> - wordpress <unfixed> (bug #500295; unimportant)
> NOTE: bigger problems, if attacker has access to /etc/wordpress/*
Why not just plug in the fixed package version?
> In my opinion we should not leave non-issues to tracker.
My opinion is quite the opposite. Information about non-issues (i.e.
the unimportant tag) is educational and demonstrates a commitment to
transparency and an effort at completeness for all potential security
issues.
Best wishes,
Mike
More information about the Secure-testing-team
mailing list