Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Jun 2013 00:44:09 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Moritz Muehlenhoff <jmm@...til.org>
Subject: Re: Thoughts on a vuln/CVE?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/18/2013 12:24 AM, Moritz Muehlenhoff wrote:
> On Tue, Jun 18, 2013 at 12:04:30AM -0600, Kurt Seifried wrote:
> 
>> http://bits.debian.org/2013/06/remove-debian-multimedia.html
> 
> [..]
> 
>> We have software with a now insecure configuration as it points
>> to a site that may or may not be under attacker control. It seems
>> to me like this might be a candidate for a CVE. Thoughts and
>> comments for and against are welcome (I'm on the fence myself).
> 
> No way. This is not an insecure configuration: This was never a
> Debian service and people are free to put whatever they want in
> /etc/apt/sources.list. There are hundreds of external apt sources
> and everyone of them could have their owner changed at some point.
> 
> Also there's no security issue: If a domain is grabbed and someone
> configures an apt repository on the site, he/she would lack the
> repository key previously used to sign the repo.
> 
> Cheers, Moritz
> 

Ah thanks, I forgot about that (I don't use Debian that often). So
with the signing key requirement in mind this is not a vuln.

However my original question still stands, can/should we consider a
common configuration of software that goes from being secure to
insecure to be worthy of a CVE? A lot of things that used to be common
practice (like shipping every service/server enabled, all accounts
active, all access enabled, anonymous uploads allowed, etc.) are now
seen as security vulnerabilities/exposures.

As for the security of the repo key proving that it it is safe/not
compromised would be hard, I'm guessing it wasn't held on an HSM, and
was it securely destroyed, or?

Also part of my thought process is that (for example) this would be a
good configuration to check for and ensure is disabled, something for
SCAP for example or the Debian security guide (e.g. a generic "make
sure all enabled repos are actually working as expected").


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRwAG5AAoJEBYNRVNeJnmTzDYP/1FG8ALLhiHpoqbBvnrYymfi
g5De/gVZdn9BGmloP5qFEOtywzxZtEruToQ76ztyf1gCUPjAh8gQrUGFJMNl0n/d
zgRTOyzHH1U5KBLF9PhZzyxx9thGpBvlJzlgdwnRqOj40qRVAai+SEWVtdiR9Qtg
4VNDGXKhetuDP4MRhnYjfgCsCJ8WPtbICBhc7g328BtN3SmYc02feXYMFGHr/VfM
Xn7n5KsANFnI0exVhTP8foFXwaQELBpz0R45J2EvocJnTdLLlSvbr1KQJBRzb5pC
q0A0EIWn7B/ymqqmsqR/hs+xulqSZ2J0vumZvpXNAWVIjtynoAOIM0a3WO3iSb4L
xE2pNTr9LOnnq9F6r2U+sU60cWMZu/hLJkt+iDwmIT2vpOZ8TmFjAJfPPFaxvYXb
IJeqvmxlwcb91sj73yoagBFzBByRo4Ka7akUrrO40lW4GsqjQOlwKkvQsrE/4hv6
QttA1UW1VcdcrqfNXAVncXwkyEH2wS3lJT/6z05eOcC+Ca8EKNO1W2/3CT7lM0Zi
ig5VQGqyX/zJTstS7iR2sJNryA/HsFhsrPt05cRxyc99zB1GY4rRWuioU0foyS3D
V9YzZLJb9c5djZPkwqDo0XrTdeuQCDBy1cgk1pjCaTjj+uCxugwJnXyfNts49oIp
xW1cbTD0akaJx9imbztz
=ZYhI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.