Date: Tue, 18 Jun 2013 08:10:12 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: kseifried@...hat.com Cc: Open Source Security <oss-security@...ts.openwall.com> Subject: Re: Thoughts on a vuln/CVE? On mar., 2013-06-18 at 00:04 -0600, Kurt Seifried wrote: > We have software with a now insecure configuration as it points to a > site that may or may not be under attacker control. It seems to me > like this might be a candidate for a CVE. Thoughts and comments for > and against are welcome (I'm on the fence myself). I'm not completely sure what assigning a CVE would give here. Debian itself never shipped a package adding this apt source. Some people might have shipped some external packages adding it, but I'm not really aware of this. Usually the source was added manually by end-users. So I'm not too sure what tracking the “issue” would actually give. Maybe it can help raise awareness on this, but I'm not too convinced. Regards, -- Yves-Alexis Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.