Author: jmm-guest Date: 2010-02-08 17:48:00 +0000 (Mon, 08 Feb 2010) New Revision: 14061 Modified: data/CVE/list data/embedded-code-copies Log: - bzr code copies fixed - glibc issue not a vulnerability - systemtap issue not in Etch Modified: data/CVE/list ==================================================================--- data/CVE/list 2010-02-08 04:56:39 UTC (rev 14060) +++ data/CVE/list 2010-02-08 17:48:00 UTC (rev 14061) @@ -185,10 +185,7 @@ - nautilus <not-affected> (proof-of-concept script is previewed as text, not executed) NOTE: http://seclists.org/fulldisclosure/2010/Feb/112 CVE-2010-XXXX [samba: remote zero-day vulnerability] - - samba <unfixed> (high; bug #568493) -CVE-2010-XXXX [glibc: house of mind vulnerability] - - eglibc 2.10.2-6 (medium; bug #568488) - - glibc <removed> (medium) + - samba <unfixed> (low; bug #568493) CVE-2010-XXXX [browser javascript document.write denial-of-service] - xulrunner <unfixed> (unimportant; bug #568486) - webkit <unfixed> (unimportant; bug #568485) @@ -317,8 +314,8 @@ RESERVED CVE-2010-0411 [systemtap buffer overflow] RESERVED - - systemtap <unfixed> (low) - [lenny] - systemtap <no-dsa> (Minor issue) + - systemtap <unfixed> (low; bug #568809) + [lenny] - systemtap <not-affected> (Vulnerable code not present) [etch] - systemtap <no-dsa> (Minor issue) NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=11234 and RH CVE-2010-0410 [kernel OOM via NETLINK_CONNECTOR] Modified: data/embedded-code-copies ==================================================================--- data/embedded-code-copies 2010-02-08 04:56:39 UTC (rev 14060) +++ data/embedded-code-copies 2010-02-08 17:48:00 UTC (rev 14061) @@ -1180,7 +1180,7 @@ - gamera 3.2.3-1 (embed) configobj - - bzr <unfixed> (embed; bug #555336) + - bzr 2.1.0~rc2-1 (embed; bug #555336) - elisa <unfixed> (embed; bug #555337) - gaupol <unfixed> (embed; bug #555338) - ipython <unfixed> (embed; bug #555339) @@ -1233,7 +1233,7 @@ elementtree - python2.5 <unfixed> (embed) - python2.6 <unfixed> (embed) - - bzr <unfixed> (embed; bug #555343) + - bzr 2.1.0~rc2-1 (embed; bug #555343) - gedit 2.28.2-1 (embed; bug #555344) - smart <unfixed> (embed) - solfege <unfixed> (embed; bug #555345)
On Mon, 8 Feb 2010 17:48:02 +0000, Moritz Muehlenhoff wrote:> Author: jmm-guest > Date: 2010-02-08 17:48:00 +0000 (Mon, 08 Feb 2010) > New Revision: 14061 > > Modified: > data/CVE/list > data/embedded-code-copies > Log: > - bzr code copies fixed > - glibc issue not a vulnerabilityplease explain why this is not an issue. it adds additional protection from memory corruption; making it harder to introduce malicious code. even if you consider it a security hardening feature, then it is still a security issue. you could mark it unimportant, and make a note about that, but removing it is not right. mike
On Mon, 8 Feb 2010 17:48:02 +0000, Moritz Muehlenhoff wrote:> Author: jmm-guest > Date: 2010-02-08 17:48:00 +0000 (Mon, 08 Feb 2010) > New Revision: 14061 > > Modified: > data/CVE/list > data/embedded-code-copies > Log: > - bzr code copies fixed > - glibc issue not a vulnerability > - systemtap issue not in Etch[...]> CVE-2010-XXXX [samba: remote zero-day vulnerability] > - - samba <unfixed> (high; bug #568493) > + - samba <unfixed> (low; bug #568493)from the narrative_introduction, issues for which exploits exist in the wild should be considered high urgency. i am working this issue and have treated it as such. you have said on many occasions that you consider urgencies to be of little use, so why are you so intent on tweaking them so often? i don''t see how that is actually productive. mike
Hey, * Michael Gilbert <michael.s.gilbert at gmail.com> [2010-02-08 22:02]:> On Mon, 8 Feb 2010 17:48:02 +0000, Moritz Muehlenhoff wrote: > > Author: jmm-guest > > Date: 2010-02-08 17:48:00 +0000 (Mon, 08 Feb 2010) > > New Revision: 14061 > > > > Modified: > > data/CVE/list > > data/embedded-code-copies > > Log: > > - bzr code copies fixed > > - glibc issue not a vulnerability > > - systemtap issue not in Etch > [...] > > CVE-2010-XXXX [samba: remote zero-day vulnerability] > > - - samba <unfixed> (high; bug #568493) > > + - samba <unfixed> (low; bug #568493) > > from the narrative_introduction, issues for which exploits exist in the > wild should be considered high urgency.[...] I don''t think you can take the narrative introduction exactly this way, its not a policy, just a pointer to the general workflow. As we already outlined quite a lot, common sense applies to these rankings. Though I disagree with both of you, this is no high issue as it doesn''t affect every samba installation and as well it isn''t low like /tmp/ races... I think medium is pretty appropriate. Cheers P.S. I agree, I also don''t waste productive time on such discussions (I don''t have time at the moment as you noticed), but in the end I also don''t want a security tracker reflecting Debian to be unable to properly rank vulnerabilities :) I''d even vote for removing that alltogether, include the CVSS score and everyone can rank it for himself on his personal todo list... -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20100208/28fdcdd7/attachment.pgp>
Hey, * Michael Gilbert <michael.s.gilbert at gmail.com> [2010-02-08 22:02]:> On Mon, 8 Feb 2010 17:48:02 +0000, Moritz Muehlenhoff wrote: > > Author: jmm-guest > > Date: 2010-02-08 17:48:00 +0000 (Mon, 08 Feb 2010) > > New Revision: 14061 > > > > Modified: > > data/CVE/list > > data/embedded-code-copies > > Log: > > - bzr code copies fixed > > - glibc issue not a vulnerability > > please explain why this is not an issue. it adds additional protection > from memory corruption; making it harder to introduce malicious code. > > even if you consider it a security hardening feature, then it is still a > security issue. you could mark it unimportant, and make a note about > that, but removing it is not right.We track security issues, not hardening features. I''m also not sure if this will even get a CVE id. If there is an issue, it''s in the application, not in the glibc and so I don''t even think we should track it. The house of mind is no vulnerability but a trick to bypass certain glibc restrictions when exploiting heap overflows. We also aren''t tracking kernels that have randomize_va_space not set to 1 per default as vulnerabilities and that makes well sense. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20100208/82c85a92/attachment.pgp>
Hey, * Nico Golde <debian-secure-testing+ml at ngolde.de> [2010-02-08 23:49]:> P.S. I agree, I also don''t waste productive time on such discussions (I don''t^ want :) Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20100208/6abae9f2/attachment.pgp>