Dear members of the security team(s), On Fri, 2007-01-12 at 11:08 -0300, Alex de Oliveira Silva wrote:> Multiple vulnerabilities have been identified in phpMyAdmin, which may > be exploited by attackers to execute arbitrary scripting code. These > issues are due to unspecified input validation errors when processing > certain parameters, which could be exploited by attackers to cause > arbitrary scripting code to be executed by the user''s browser in the > security context of an affected Web site.Have you even read this text? In recent times, I''ve been receiving more bug reports against packages I maintain that are worded like above: they are "unspecified" vulnerabilities over "unspecified" vectors with "unknown" implications. Please, I appreciate it when bugs are filed, but what value do contentless bugs like the one above add? How can they be "important" when there''s no information in them? How would you as a maintainer respond if I submitted a bug against his package with the text "there''s an unknown bug somewhere in your package with unknown results"? thanks, Thijs -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070112/80a00767/attachment.pgp
Thijs Kinkhorst wrote:> Dear members of the security team(s), > > On Fri, 2007-01-12 at 11:08 -0300, Alex de Oliveira Silva wrote: > > Multiple vulnerabilities have been identified in phpMyAdmin, which may > > be exploited by attackers to execute arbitrary scripting code. These > > issues are due to unspecified input validation errors when processing > > certain parameters, which could be exploited by attackers to cause > > arbitrary scripting code to be executed by the user''s browser in the > > security context of an affected Web site. > > Have you even read this text? > > In recent times, I''ve been receiving more bug reports against packages I > maintain that are worded like above: they are "unspecified" > vulnerabilities over "unspecified" vectors with "unknown" implications. > > Please, I appreciate it when bugs are filed, but what value do > contentless bugs like the one above add? How can they be "important" > when there''s no information in them? > > How would you as a maintainer respond if I submitted a bug against his > package with the text "there''s an unknown bug somewhere in your package > with unknown results"?You could probably start writing 15k bugs... Regards, Joey -- Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth Please always Cc to me when replying to me on the lists.
Hi Thijs, On Friday 12 January 2007 16:25, Thijs Kinkhorst wrote:> In recent times, I''ve been receiving more bug reports against > packages I maintain that are worded like above: they are > "unspecified" vulnerabilities over "unspecified" vectors with > "unknown" implications. > > Please, I appreciate it when bugs are filed, but what value do > contentless bugs like the one above add? How can they be > "important" when there''s no information in them?I agree that there needs to be at least some information that allows one to identify the bug. But in this case there is a link to a secunia advisory in the bug report which claims "Fixed in version 2.9.2-rc1". So obviously the changelog or the diff could be used to get more information. Now the question is whether one should 1) delay the bug report until someone (either security team member or someone else) had time to look into this closer and identify the exact issues or 2) file the bug immediately to alert the maintainer (and allow him to be that "someone" if he has time). I think 2) is better, especially this close to the release, so that the maintainer has more time to react. Cheers, Stefan