Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150330180044.1EB0F42E028@smtpvbsrv1.mitre.org>
Date: Mon, 30 Mar 2015 14:00:44 -0400 (EDT)
From: cve-assign@...re.org
To: krahmer@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVS-Request: realmd code execution/auth bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The availability of new software from upstream doesn't determine
whether a CVE ID can be assigned. If the old software had a behavior
that matched the documentation and was consistent with a possibly
useful security model, then typically no CVE ID is assigned when a
vendor chooses to announce a cutover to a different security model.

> it should "somehow" be ensured that the legit AD servers are used.

A possibly intended use case is network environments that do not have
any untrusted devices and do not have any rogue ADs. To the extent
that the product is used on arbitrary networks, many types of
improvements might be helpful. For example, apparently the default is
to use a realm name sent by a DHCP server. One might argue that an
improvement would be dropping DHCP support on the basis that it's an
unsafe way to determine a realm name. Or, one might argue that the
realm-name string should be displayed to the client user for
confirmation before proceeding. We don't necessarily want to have CVEs
for these types of improvements. The automatic-join issue is more of a
borderline issue but may be best categorized as a natural evolution of
a security model for a better match with real-life use cases and
real-life threats.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVGY6EAAoJEKllVAevmvmsbkQH/R9UUBJ5q0zGJzOUdL4i4E3a
ZMk15+zBbvKov5NSYFFNL1TI5O9TlVHZFWb9NZoasnHb4RcFlv3byelYOGNRTdLD
rJNnD7Jy7bnIwrniKe/gb7DnKfbLIeB4BarjKPRbBz3O7zWYYhLJArdod62PgD0i
bBkQsJgIAPR0Rlb29zYKvrWBpAtxSI1KE4lJKH6/JxCWOXy23BG5aBDlEF4oGmSR
8hyJ2ZKRw1gEmdeSH8E1TUkbYukADf8GANC2AEqRiHNtAwjJRkkMWQuTzPjzHCZU
yldzKONImW9CXMAnWpNGBonQ2+FWhalQePLdumkFwTAsfG1CMrQK0EKN+aCiEXQ=
=zxlx
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.