On Tue, Aug 30, 2005 at 06:48:07AM +1000, Paul Gear wrote:
If we're going to have another crack at it, then, what track should we take? Reopen the bug as Florian suggested, email the security team, just keep pestering Joey?
Contact the security team. Describe the bug in such a way that the security team understands its severity and impact. It is not sufficient to say "just trust me and issue an advisory". From what I've seen so far this is not the obvious buffer overflow sort of bug, it's a configured behavior which deviates from some documented expectation. The question, then, is how that deviation occurs, what the documented expectation is, and (most importantly for stable) is there any chance that someone might be relying on the implemented behavior rather than the documented behavior.
interested in blame-casting - i just want to see the 222 people who actually use Shorewall on Debian [1] informed about the possibility that something could be bypassing their carefully-crafted firewall rules!
ISTM that this is something that they'd notice pretty quick after testing their rules (or so I guess, since I'm still not entirely clear about the nature of the bug). And that's the troublesome thing--if it's an option that nobody uses it's not a big deal, right? But if it is something someone uses, which they've presumably tested, then there's a good chance it's working they way they want it to, even if that's not how it was intended. Without more of an explanation of what's going on, I'm just guessing. If the security team does issue an advisory, this is the sort of examination that needs to happen before writing the text of the advisory, including possible impacts or changes in behavior. That is why it is *not* sufficient to simply issue advisories without understanding what is being issued. To answer your implied question earlier in the thread, yes, someone from the security team has to "*try* to understand every security bug". It's not a mechanical process, and our users presumably expect that we know what we're sending when we issue an advisory. I'd love if the whole process could be implemented in a simple script, it would really cut down on the amount of time this security stuff takes up. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
