Hi Julien, * Julien BLACHE <[EMAIL PROTECTED]> [2007-10-17 21:48]: > Nico Golde <[EMAIL PROTECTED]> wrote: > > This was marked as a security flaw with low impact in the > > security tracker by me. So this is no "please upload as fast > > as possible" bug but I think the patch won't hurt. > > The patch doesn't fix anything but makes it easier to do the check in > its simplest form in the config file. > > This is not a vulnerability, it's not even a flaw because having the > two URIs mismatch is allowed by the standard and happens in some > setups for valid reasons.
Ok. > There's no hole in OpenSER itself; depending on the user setup, > checking the URIs can be required or not, so it's entirely a config > issue from there on. Ok sounds plausible. > I don't consider this a security issue as far as Debian is concerned > and I recommend not issuing a DSA for this. I feel issuing a DSA for > this issue could potentially mislead our users, letting them think the > update handles the problem when it doesn't. > > So if you agree with this, I'm just going to leave this bug open and > I'll close it with the OpenSER 1.3 upload in december. Ok, I marked it as unimportant and downgraded this bug. Thanks for your efforts! Cheers Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpc5iD7gP0qh.pgp
Description: PGP signature

