Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 30 Mar 2015 14:00:44 -0400 (EDT)
Subject: Re: CVS-Request: realmd code execution/auth bypass

Hash: SHA1

The availability of new software from upstream doesn't determine
whether a CVE ID can be assigned. If the old software had a behavior
that matched the documentation and was consistent with a possibly
useful security model, then typically no CVE ID is assigned when a
vendor chooses to announce a cutover to a different security model.

> it should "somehow" be ensured that the legit AD servers are used.

A possibly intended use case is network environments that do not have
any untrusted devices and do not have any rogue ADs. To the extent
that the product is used on arbitrary networks, many types of
improvements might be helpful. For example, apparently the default is
to use a realm name sent by a DHCP server. One might argue that an
improvement would be dropping DHCP support on the basis that it's an
unsafe way to determine a realm name. Or, one might argue that the
realm-name string should be displayed to the client user for
confirmation before proceeding. We don't necessarily want to have CVEs
for these types of improvements. The automatic-join issue is more of a
borderline issue but may be best categorized as a natural evolution of
a security model for a better match with real-life use cases and
real-life threats.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.