Date: Sun, 06 Mar 2011 21:31:25 +0700 From: Pavel Labushev <p.labushev@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request -- logrotate -- nine issues 06.03.2011 19:26, Solar Designer пишет: > For this to happen, you need to post info on the specific issues and > request CVEs for them. Will you do this, please? (Perhaps start a new > thread, or even a thread per package - that's up to you.) I mean we shouldn't sweep the logrotate issues under the carpet, even if logrotate wasn't suppose to handle such use cases initially. I have an impression that's what you suggest. I mean this: > The rest, as described, appear to rely on sysadmin error and to assume > security properties that logrotate never advertised it had. and > Indeed. A vulnerability in the service package, in my opinion. Now > that would require CVE id assignment and a fix to the package, whereas > logrotate could merely use some hardening with no CVE ids (except for > issue #8, which was different). So I think all the logrotate issues should get their CVEs with an advise to work around misuse cases by chowning the log directories root:root. The Gentoo issues, I think they don't need CVEs and will be fixed by the Gentoo security team (they are aware). The point was to show the misuse cases are common.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ