Date: Mon, 08 Jun 2015 17:44:45 -0500 From: Michael Catanzaro <mcatanzaro@...lia.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE Request: WebKitGTK+ performs DNS prefetch when a proxy is configured On Mon, 2015-06-08 at 17:34 -0400, cve-assign@...re.org wrote: > > We're not sure that this can be considered a vulnerability fix; it > seems more like a feature addition. The > platformProxyIsEnabledInSystemPreferences "return false" code seems > to > mean that the the product's development status was that ascertaining > a > proxy setting was an unimplemented capability, and therefore any > proxy-specific DNS behavior was an unimplemented feature. Yes, but it should have been a "return true" to fail-safe instead. > Admittedly, never making direct DNS queries during proxy use may be > the new preferred behavior in this product. However, sometimes people > want to make direct DNS queries during proxy use. I don't think we intend to support this level of configurability. > There could be a CVE ID if a product were specifically trying to > detect a proxy setting (in order to avoid direct DNS in that case) > but > failing because of a coding error. There typically can't be a CVE ID > for addition of new code to satisfy a requested behavior change. OK, no need for a CVE then. Thanks for the good response and the links, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ