Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 16 Mar 2011 12:48:53 +0000
From: David Woodhouse <dwmw2@...radead.org>
To: Josh Bressers <bressers@...hat.com>
Cc: oss-security@...ts.openwall.com, Mark McLoughlin <mark@...net.ie>, 
 "Steven M. Christey" <coley@...us.mitre.org>, David King
 <amigadave@...gadave.com>
Subject: Re: CVE Request / Discussion -- vino -- reports the
 desktop being reachable only over the local network, when reachable from
 everywhere

On Wed, 2011-03-16 at 07:58 -0400, Josh Bressers wrote:
> I probably should have been more clear here. I was under the impression the
> CVE id applied to instances where it would use UPnP and no auth, which is
> dangerous and should probably include a big warning with a button that says
> "I know what I'm doing (but probably not really)". 


Right. So that CVE should apply to the case of it listening on a
publicly available IP address with no auth, whether it uses uPnP or not.

If it just listens on the socket and is usable from the outside world
without a password, that's the *same* problem.

The CVE really has nothing to do with uPnP; it's about the lack of
authentication on a publicly-available service.

-- 
dwmw2

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.