On 03/26/2011 07:55 PM, Giuseppe Iuculano wrote:
Hi,
Now, I can see that adding further checking on the Python dtc-xen SOAP
server might enhance security as well, so I will write such checks
anyway, and make it available in the next version of DTC-Xen.
Wont fix
Could you please explain why this is wontfix?
I think this is a security issue that doesn't warrant a DSA, please fix
it through a stable point update instead. CCing the stable security
point update coordinator.
Cheers,
Giuseppe.
Hi,
I explained it already. The only thing that is supposed to connect to
the SOAP server of DTC-Xen is the DTC panel. DTC-Xen hasn't been
designed for anything else. This is also why there is a dtc-xen-firewall
that filters connection to the IP of the DTC panel, and why DTC-Xen SOAP
server is using an auth over SSL.
Under these conditions, there's no way something/someone malicious can
connect to DTC-Xen and do the kind of exploit described in this bug.
If someone wants to change the behavior of DTC-Xen and allow connections
and control from VPS *users*, then I would accept the patch. But that's
currently not the design (yet).
Thomas
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
