Date: Tue, 30 Jul 2013 00:05:04 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Alexandre Dulaunoy <a@....be> Subject: Re: CVE missing? for "Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/29/2013 01:48 AM, Alexandre Dulaunoy wrote: > Hi All, > > I couldn't find the CVE number for the following > vulnerability/misconfiguration: > > https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution > > Is there a CVE assigned for this combo vulnerability in > Exim/Dovecot? or as this is a configuration matter there is no CVE > assigned (even if this "recommended configuration" was in the wiki > of the vendor)? > > Thanks for any feedback, > > Cheers > I'm inclined to give this a CVE since it's "official"/"recommended" documentation, and my thought is vendor documentation should be safe, and where it is not safe it should be explicit that there are risks. A great example of this is: http://docs.python.org/2/library/pickle.html In red right at the top: Warning The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source. Does anyone disagree/have strong feelings regarding this? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR91eQAAoJEBYNRVNeJnmTvkUQAMuPqSPQgt6rF6uPgFXj4k18 4nRFLUMkVAQqYU3L37gqW+Kcv7MRI3FSDBOVbg+AiBjEMTox3F75DkAdWVv+kzEg cUEN3blGFRtUbBeeyKO73zgDq9HA5FXDFnQQQB1ARn6f518OsRYiUx6r1ej7FFSt Sc4BuOoRwvDaMhet3RvqaOtzJvtC4S2GBtjD4kKVj/Fa3SeTCY2NEklWfWQ+oYx9 85d19gXmPBoOBm63dNwK0WxuwWzACLO4B1A6e/GX4sBTAXPYelt0WJ7ibs3Gk5sQ aDVE2A/yzDI7NwakMwbNqi7A6LBctZeDy+0ecoR64R4SpF8XKfWgT6npzy5DSgPA OP1u1S+k8XRr4u1DU3kNQNiT9fYqgQUWDwcEjVXi/jW1QQeHqpobHilkTc124c+H 695YvyBELKkSMUbSH3xfBp78k+5YGrE+qj9bt0X5rU98NOVMrAa11S2pvsK3So2t 4OJXsYUNrYUJUjGFJ+B0sE2B3cfZqzsZtNPll2002FNAduJhPHU0xVTbQylFoCF4 cBNyIoKxuzYTrkiIY4sf6bDw1efQtJEbHyGqVdad9Rxo4J7wi1fblT2aRkZpdtC6 xBEHDNxRSHDe+aReG15ze8s+GfXW8Cp3nAjVZ2D+H/jZVyC/ZmBHP6EtehEGDRLn jEH+0cWXsh4hbeaG+kTg =KryW -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.