Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 08 Jun 2015 17:44:45 -0500
From: Michael Catanzaro <mcatanzaro@...lia.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: WebKitGTK+ performs DNS prefetch when a proxy is
 configured

On Mon, 2015-06-08 at 17:34 -0400, cve-assign@...re.org wrote:
> 
> We're not sure that this can be considered a vulnerability fix; it
> seems more like a feature addition. The
> platformProxyIsEnabledInSystemPreferences "return false" code seems 
> to
> mean that the the product's development status was that ascertaining 
> a
> proxy setting was an unimplemented capability, and therefore any
> proxy-specific DNS behavior was an unimplemented feature.

Yes, but it should have been a "return true" to fail-safe instead.

> Admittedly, never making direct DNS queries during proxy use may be
> the new preferred behavior in this product. However, sometimes people
> want to make direct DNS queries during proxy use.

I don't think we intend to support this level of configurability.

> There could be a CVE ID if a product were specifically trying to
> detect a proxy setting (in order to avoid direct DNS in that case) 
> but
> failing because of a coding error. There typically can't be a CVE ID
> for addition of new code to satisfy a requested behavior change.

OK, no need for a CVE then.

Thanks for the good response and the links,

Michael

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.