Date: Sun, 06 Mar 2011 21:31:25 +0700 From: Pavel Labushev <p.labushev@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request -- logrotate -- nine issues 06.03.2011 19:26, Solar Designer пишет: > For this to happen, you need to post info on the specific issues and > request CVEs for them. Will you do this, please? (Perhaps start a new > thread, or even a thread per package - that's up to you.) I mean we shouldn't sweep the logrotate issues under the carpet, even if logrotate wasn't suppose to handle such use cases initially. I have an impression that's what you suggest. I mean this: > The rest, as described, appear to rely on sysadmin error and to assume > security properties that logrotate never advertised it had. and > Indeed. A vulnerability in the service package, in my opinion. Now > that would require CVE id assignment and a fix to the package, whereas > logrotate could merely use some hardening with no CVE ids (except for > issue #8, which was different). So I think all the logrotate issues should get their CVEs with an advise to work around misuse cases by chowning the log directories root:root. The Gentoo issues, I think they don't need CVEs and will be fixed by the Gentoo security team (they are aware). The point was to show the misuse cases are common.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.