Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 4 Sep 2013 15:50:01 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: unauthorized host/service views
 displayed in servicegroup view

* [2013-09-04 11:25:21 -0400] Daniel Kahn Gillmor wrote:

>[dropping cc's, just leaving oss-security]
>
>On 09/03/2013 07:02 PM, Vincent Danen wrote:
>
>> I mean, if someone wants to shoot themselves in the foot and document it
>> as a feature, who are we to say otherwise?  We may not agree with it,
>> but it's a documented feature (deliberately changed), so we can't just
>> very well call it a security flaw because we don't like the new
>> behaviour.
>
>I'm curious about this.  If, say, a modern TLS library some day decides
>to get around to implementing (old, deprecated, known-insecure,
>previously-unimplemented) SSLv2, and announces it as a feature, and
>enables it by default, is the consensus of this group that we would not
>treat it as worthy of a CVE, despite being a clear security weakening?
>
>At what point does the security community override the upstream
>decisions and declare the packages vulnerable?

That's a good question.  For your example, I'd say that's a bad thing...
we all know SSLv2 is insecure and we would consider the developer to be
a little "special" in the head, I think.  =)

This is a bit different though.  The users are authenticated -- it's not
unauthenticated exposure.  How granular the access controls _within_
that application are largely depend on the developer.  It might be
different if they decided to chuck the whole authentication basis and
decided that information in Nagios should be public.  But, even then,
that is a definite design decision -- is it still a security flaw?

Arguably, Google searches often reveal sensitive information -- does
that mean Google searches require a CVE?  Or is that up to the end user
to decide "this has too much risk" or "I disagree with the design
decision here and will suit something better to my use-case"?

So while I think you have a valid question, I think the first question
is what constitutes a security flaw -- once that is defined, then I
think what upstream does is irrelevant.  If it's a flaw, it's a flaw.

And obviously upstream's point of view is sometime questionable -- it's
like the Linux kernel folks deciding there are no security bugs, only
_bugs_ (with no distinction).  That never went over very well.  =)

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.