Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 27 May 2015 11:26:45 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Question about tmp flaws in non-default build options (e.g. Kerberos DEBUG_ASN1)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> only exist if you build with DEBUG_ASN1

As suggested in the
http://openwall.com/lists/oss-security/2014/01/29/10 post, unsafe
programming practices reachable in non-default builds are not within
the scope of CVE simply because the code exists. There must be
documentation indicating that an end user may wish to have the
applicable non-default build.

As far as we know, MIT Kerberos 5 does not document DEBUG_ASN1 for use
by end users. It seems reasonable to expect that those code sections
are only intended for use during development, and that there's a
cost/benefit tradeoff to addressing all possible risks to their
developers' machines. There won't be a CVE mapping for this DEBUG_ASN1
report unless the upstream vendor requests one.

> To: ... CVE ID Change <cve-id-change@...re.org>

This report doesn't relate to the cve-id-change@...re.org list.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVZeEwAAoJEKllVAevmvmsDj0H/R/JnY+GcIJkOvuq0qvJGqLm
lgF5zU/AJ/CObyajMW7ELgdM6vcljix8WR0e8wtE87Hn1Feov1e7WzrP0gk0HaXr
BTWzNmhkNj0wI65wYjhJ3QN4odQBl0I4lhnzjfJsADLEUuCeC/UqgGUokl4f7atB
YlWgET5uHXhMTjrjFZT0Qgxzda03lC951bXX93pD1Z6c8uAjM0O2HFrAV1pdfO8D
yxje1wh8jcPCJL74x9K2cuWa9Wrs/h/AA4ZS1naNb7yNnyHvEuE+uCRI82E3RgGe
iqW7MlEqKJHTo4Vcgp7gCTF+oMW3OWRdbbg6OcK+0BXTGdxYknXKK24olk7e9Hc=
=MUye
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ