Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 08 Jun 2015 17:44:45 -0500
From: Michael Catanzaro <mcatanzaro@...lia.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: WebKitGTK+ performs DNS prefetch when a proxy is
 configured

On Mon, 2015-06-08 at 17:34 -0400, cve-assign@...re.org wrote:
> 
> We're not sure that this can be considered a vulnerability fix; it
> seems more like a feature addition. The
> platformProxyIsEnabledInSystemPreferences "return false" code seems 
> to
> mean that the the product's development status was that ascertaining 
> a
> proxy setting was an unimplemented capability, and therefore any
> proxy-specific DNS behavior was an unimplemented feature.

Yes, but it should have been a "return true" to fail-safe instead.

> Admittedly, never making direct DNS queries during proxy use may be
> the new preferred behavior in this product. However, sometimes people
> want to make direct DNS queries during proxy use.

I don't think we intend to support this level of configurability.

> There could be a CVE ID if a product were specifically trying to
> detect a proxy setting (in order to avoid direct DNS in that case) 
> but
> failing because of a coding error. There typically can't be a CVE ID
> for addition of new code to satisfy a requested behavior change.

OK, no need for a CVE then.

Thanks for the good response and the links,

Michael

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ