Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 27 May 2015 11:26:45 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Question about tmp flaws in non-default build options (e.g. Kerberos DEBUG_ASN1)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> only exist if you build with DEBUG_ASN1

As suggested in the
http://openwall.com/lists/oss-security/2014/01/29/10 post, unsafe
programming practices reachable in non-default builds are not within
the scope of CVE simply because the code exists. There must be
documentation indicating that an end user may wish to have the
applicable non-default build.

As far as we know, MIT Kerberos 5 does not document DEBUG_ASN1 for use
by end users. It seems reasonable to expect that those code sections
are only intended for use during development, and that there's a
cost/benefit tradeoff to addressing all possible risks to their
developers' machines. There won't be a CVE mapping for this DEBUG_ASN1
report unless the upstream vendor requests one.

> To: ... CVE ID Change <cve-id-change@...re.org>

This report doesn't relate to the cve-id-change@...re.org list.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVZeEwAAoJEKllVAevmvmsDj0H/R/JnY+GcIJkOvuq0qvJGqLm
lgF5zU/AJ/CObyajMW7ELgdM6vcljix8WR0e8wtE87Hn1Feov1e7WzrP0gk0HaXr
BTWzNmhkNj0wI65wYjhJ3QN4odQBl0I4lhnzjfJsADLEUuCeC/UqgGUokl4f7atB
YlWgET5uHXhMTjrjFZT0Qgxzda03lC951bXX93pD1Z6c8uAjM0O2HFrAV1pdfO8D
yxje1wh8jcPCJL74x9K2cuWa9Wrs/h/AA4ZS1naNb7yNnyHvEuE+uCRI82E3RgGe
iqW7MlEqKJHTo4Vcgp7gCTF+oMW3OWRdbbg6OcK+0BXTGdxYknXKK24olk7e9Hc=
=MUye
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.