On Thu, Mar 31, 2005 at 09:09:14AM -1000, Joey Hess wrote: > tag 160579 security > thanks > > We don't just use the security tag in the bts for security holes that > are limited to shell exploits. This particular problem, which by the way > has been assigned CVE id CAN-2002-1647, allows interception of some > user's passwords, and hijacking of their slash accounts, which can be > considered a security hole. Especially if a user is unwise enough to > reuse that password elsewhere.
OK, every now and then someone comes with the idea that this is a security bug. What I'm still waiting for, is that someone explain me in what way having you slash password intercepted is a _security_ bug. Sure enough someone could then login to your slash site and posting message faking your identity. Then what ? How does this compromise your security ? I disagree with you on this point. As you point out, this password could be used elsewhere but is this still the responsibility of the slash package ? I mean, should I then file a security bug against all these codes that for example passes my phone number in their url because I'm stupid enough to use my phone number as my credit card secret code ?? -- Eric VAN BUGGENHAUT [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
