Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 30 Jul 2013 00:05:04 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Alexandre Dulaunoy <a@....be>
Subject: Re: CVE missing? for "Exim with Dovecot: Typical Misconfiguration
 Leads to Remote Command Execution"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/29/2013 01:48 AM, Alexandre Dulaunoy wrote:
> Hi All,
> 
> I couldn't find the CVE number for the following
> vulnerability/misconfiguration:
> 
> https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution
>
>  Is there a CVE assigned for this combo vulnerability in
> Exim/Dovecot? or as this is a configuration matter there is no CVE
> assigned (even if this "recommended configuration" was in the wiki
> of the vendor)?
> 
> Thanks for any feedback,
> 
> Cheers
> 

I'm inclined to give this a CVE since it's "official"/"recommended"
documentation, and my thought is vendor documentation should be safe,
and where it is not safe it should be explicit that there are risks. A
great example of this is:

http://docs.python.org/2/library/pickle.html

In red right at the top:

Warning The pickle module is not intended to be secure against
erroneous or maliciously constructed data. Never unpickle data
received from an untrusted or unauthenticated source.

Does anyone disagree/have strong feelings regarding this?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR91eQAAoJEBYNRVNeJnmTvkUQAMuPqSPQgt6rF6uPgFXj4k18
4nRFLUMkVAQqYU3L37gqW+Kcv7MRI3FSDBOVbg+AiBjEMTox3F75DkAdWVv+kzEg
cUEN3blGFRtUbBeeyKO73zgDq9HA5FXDFnQQQB1ARn6f518OsRYiUx6r1ej7FFSt
Sc4BuOoRwvDaMhet3RvqaOtzJvtC4S2GBtjD4kKVj/Fa3SeTCY2NEklWfWQ+oYx9
85d19gXmPBoOBm63dNwK0WxuwWzACLO4B1A6e/GX4sBTAXPYelt0WJ7ibs3Gk5sQ
aDVE2A/yzDI7NwakMwbNqi7A6LBctZeDy+0ecoR64R4SpF8XKfWgT6npzy5DSgPA
OP1u1S+k8XRr4u1DU3kNQNiT9fYqgQUWDwcEjVXi/jW1QQeHqpobHilkTc124c+H
695YvyBELKkSMUbSH3xfBp78k+5YGrE+qj9bt0X5rU98NOVMrAa11S2pvsK3So2t
4OJXsYUNrYUJUjGFJ+B0sE2B3cfZqzsZtNPll2002FNAduJhPHU0xVTbQylFoCF4
cBNyIoKxuzYTrkiIY4sf6bDw1efQtJEbHyGqVdad9Rxo4J7wi1fblT2aRkZpdtC6
xBEHDNxRSHDe+aReG15ze8s+GfXW8Cp3nAjVZ2D+H/jZVyC/ZmBHP6EtehEGDRLn
jEH+0cWXsh4hbeaG+kTg
=KryW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.