|
Message-ID: <1371535812.19806.16.camel@scapa>
Date: Tue, 18 Jun 2013 08:10:12 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: kseifried@...hat.com
Cc: Open Source Security <oss-security@...ts.openwall.com>
Subject: Re: Thoughts on a vuln/CVE?
On mar., 2013-06-18 at 00:04 -0600, Kurt Seifried wrote:
> We have software with a now insecure configuration as it points to a
> site that may or may not be under attacker control. It seems to me
> like this might be a candidate for a CVE. Thoughts and comments for
> and against are welcome (I'm on the fence myself).
I'm not completely sure what assigning a CVE would give here. Debian
itself never shipped a package adding this apt source. Some people
might have shipped some external packages adding it, but I'm not really
aware of this. Usually the source was added manually by end-users.
So I'm not too sure what tracking the “issue” would actually give. Maybe
it can help raise awareness on this, but I'm not too convinced.
Regards,
--
Yves-Alexis
Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.