Date: Wed, 27 May 2015 11:26:45 -0400 (EDT) From: cve-assign@...re.org To: kseifried@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Question about tmp flaws in non-default build options (e.g. Kerberos DEBUG_ASN1) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > only exist if you build with DEBUG_ASN1 As suggested in the http://openwall.com/lists/oss-security/2014/01/29/10 post, unsafe programming practices reachable in non-default builds are not within the scope of CVE simply because the code exists. There must be documentation indicating that an end user may wish to have the applicable non-default build. As far as we know, MIT Kerberos 5 does not document DEBUG_ASN1 for use by end users. It seems reasonable to expect that those code sections are only intended for use during development, and that there's a cost/benefit tradeoff to addressing all possible risks to their developers' machines. There won't be a CVE mapping for this DEBUG_ASN1 report unless the upstream vendor requests one. > To: ... CVE ID Change <cve-id-change@...re.org> This report doesn't relate to the cve-id-change@...re.org list. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVZeEwAAoJEKllVAevmvmsDj0H/R/JnY+GcIJkOvuq0qvJGqLm lgF5zU/AJ/CObyajMW7ELgdM6vcljix8WR0e8wtE87Hn1Feov1e7WzrP0gk0HaXr BTWzNmhkNj0wI65wYjhJ3QN4odQBl0I4lhnzjfJsADLEUuCeC/UqgGUokl4f7atB YlWgET5uHXhMTjrjFZT0Qgxzda03lC951bXX93pD1Z6c8uAjM0O2HFrAV1pdfO8D yxje1wh8jcPCJL74x9K2cuWa9Wrs/h/AA4ZS1naNb7yNnyHvEuE+uCRI82E3RgGe iqW7MlEqKJHTo4Vcgp7gCTF+oMW3OWRdbbg6OcK+0BXTGdxYknXKK24olk7e9Hc= =MUye -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.