[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Thoughts on a vuln/CVE?
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-06-19 6:21:51
Message-ID: 51C14DFF.2050309 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/19/2013 12:17 AM, Florian Weimer wrote:
> * Kurt Seifried:
> 
>> I care a lot less about what is "officially endorsed" or not
>> endorsed and a lot more with what is actually going on. If a
>> large percentage of people are exposed to a vuln, even if they
>> "shouldn't" be then it would still get a CVE. I see a lot of CVEs
>> that should never be exploitable, but people do crazy
>> things/configurations.
> 
> But the present situation is really not that clear-cut.  We have
> no indicator of malicious intent from the current domain owner, and
> users would still have to disable signature checking *and* they
> must have configured the problematic repository.  That's a little
> bit far-fetched.

Right. I'm talking about more than just this instance. Wordpress
plugins. rubygems.org. etc. Any ways I've been thinking about it and
will post a longer email later.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRwU3/AAoJEBYNRVNeJnmTuHUP/2otfOAwAccFN9CWIJIA5SvV
69lCbIdNlClftuZe6Cxux8Ggguw8iN4avF4ni20CvfGmhKfdBsUkXxqRNXNwBDJi
H8Jin+Dq9jFElOkrCcJPON8kwfPL39b+g4A/U3FYTpj9MKrzDP8JtLZ0aV0yCqca
jpHpAStwcfODpy/sCWS+cLdZgLGS7YZ1dbiPT4PshooFwv+oD6Ma0jLIqaGIEZ3u
9Yo5zPziaydWfCha7QTN4gBgkykXr/srCwXjTCyE54BjB+zi6ojSdZkRLh+Kq9EQ
4iLQgJPMPudnXZ5aGdQGQV50Ya96cLwkQRqpJfJUDlAzJu04rpm9tYql//WOUJGb
/7WpdRb0Xfc5VAdqyDPRPUmykE2wkJ1ziomXWqklupkrDe/O3v4ivTEsjHnA42PA
CU9tzFJ3//OWm5aN8rY4sv2MUC8AXNvTp4IepjyE0CDZjaR1oinhhS0F294j6hxp
tkyt5x+5J1mhYSPBubgSWGrobXugMhNd/wThid/54Hc+pAcCYtibxXXyRafvSu+G
NhXohHMiJh47l4EVy8a4zlIPuazRrbmPb6nfN6CrpZ9wXof4iYH6tuSLMYdCBwtk
CcJmjVFA4BoveWD2iuMRGUBLQgtA79+9GzL5oNjV0Z1O8mYZ7r/Xi7baxHZnP5iJ
KKpsYJyUDjCBh/gxan32
=11ul
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]