Date: Mon, 14 Mar 2011 21:07:49 +0000 From: David Woodhouse <dwmw2@...radead.org> To: Josh Bressers <bressers@...hat.com> Cc: oss-security@...ts.openwall.com, David King <amigadave@...gadave.com>, Mark McLoughlin <mark@...net.ie>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere On Mon, 2011-03-14 at 16:59 -0400, Josh Bressers wrote: > This looks like one id for vino improperly claiming that machine is only > accessible via the local network. > > Another for it using uPnP to open up a router without proper warning. I'd concur with the former, but not the latter. Issuing a CVE for that kind of thing just encourages the people who mistakenly view NAT as a form of security. uPnP is just one of the *many* reasons that viewpoint is wrong. If you wouldn't issue a CVE for vino listening with socket() and bind() system calls, then you shouldn't issue a CVE for it using uPnP to listen either. uPnP is just the normal way to work around broken networking. As far as I'm concerned there is only one issue here; the misreporting that only local access is possible when in fact it's not. -- David Woodhouse Open Source Technology Centre David.Woodhouse@...el.com Intel Corporation
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.