Hi Julien,
* Julien BLACHE <[EMAIL PROTECTED]> [2007-10-17 21:48]:
> Nico Golde <[EMAIL PROTECTED]> wrote:
> > This was marked as a security flaw with low impact in the 
> > security tracker by me. So this is no "please upload as fast 
> > as possible" bug but I think the patch won't hurt.
> 
> The patch doesn't fix anything but makes it easier to do the check in
> its simplest form in the config file.
> 
> This is not a vulnerability, it's not even a flaw because having the
> two URIs mismatch is allowed by the standard and happens in some
> setups for valid reasons.

Ok.

> There's no hole in OpenSER itself; depending on the user setup,
> checking the URIs can be required or not, so it's entirely a config
> issue from there on.

Ok sounds plausible.

> I don't consider this a security issue as far as Debian is concerned
> and I recommend not issuing a DSA for this. I feel issuing a DSA for
> this issue could potentially mislead our users, letting them think the
> update handles the problem when it doesn't.
> 
> So if you agree with this, I'm just going to leave this bug open and
> I'll close it with the OpenSER 1.3 upload in december.

Ok, I marked it as unimportant and downgraded this bug.
Thanks for your efforts!
Cheers
Nico
-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpc5iD7gP0qh.pgp
Description: PGP signature

Reply via email to