Author: gilbert-guest
Date: 2009-04-20 03:02:19 +0000 (Mon, 20 Apr 2009)
New Revision: 11659
Modified:
data/CVE/list
Log:
reassigning login flaw to sysvinit (following change in bug report) and expanded
on philosphy so others can contemplate impact/severity of this issue
Modified: data/CVE/list
==================================================================---
data/CVE/list 2009-04-20 02:52:54 UTC (rev 11658)
+++ data/CVE/list 2009-04-20 03:02:19 UTC (rev 11659)
@@ -2721,10 +2721,15 @@
[etch] - thunar <no-dsa> (Minor issue)
[lenny] - thunar <no-dsa> (Minor issue)
NOTE: CVE needs to be requested
-CVE-2009-XXXX [debian-installer: no-root option in expert installer exposes
locally exploitable security flaw]
- - debian-installer <unfixed> (bug #517018; unimportant)
+CVE-2009-XXXX [sysvinit: no-root option in expert installer exposes locally
exploitable security flaw]
+ - sysvinit <unfixed> (bug #517018; unimportant)
NOTE: hardly a security issue, if an attacker has local access to the machine
and you
NOTE: don''t use encryption or something similar you have lost anyway
+ NOTE: - this ^ philosophy is flawed; it should not be trivial to get
root just because you
+ NOTE: have local access to the machine. it is worth it to make it as
difficult as
+ NOTE: possible without impacting authorized users. otherwise, why
spend so much effort
+ NOTE: to make sure xscreensaver, gdm, and login are rock solid?
+ NOTE: - i would like to track as low, rather than unimportant
NOTE: should a CVE be requested for this problem?
CVE-2009-0753 (Absolute path traversal vulnerability in MLDonkey 2.8.4 through
2.9.7 ...)
{DSA-1739-1}