In response to Colin Percival <[EMAIL PROTECTED]>:

> Bill Moran wrote:
> >
> > 
> > Following the links around, it seems that you would have to mount a 
> > "corrupt" or
> > "malicious" filesystem in order to exploit this "vulnerability".
> > 
> > Yes, NIST claims there is no authentication required to exploit?  Are new 
> > versions
> > of FreeBSD suddenly allowing unauthenticated users to mount filesystems by 
> > default?
> > If so, something's wrong with my 6.1 workstation!
> > 
> > It seems like this is the 2nd or 3rd "vulnerability" I've seen that's been 
> > blown
> > out of proportion by NIST, or am I missing something?
> CVE names are assigned, and NIST creates an entry in its database, whenever
> someone claims that a security problem exists; their purpose is to provide
> a consistent name for whatever people are talking about, not to decide what
> exactly constitutes a security issue (as I explained in my BSDCan'06 paper,
> different vendors have many different policies about what constitute security
> issues).
> In this case (and another very similar bug found by the MoKB people), the
> FreeBSD security team has no intention to handle the bug as a security issue;
> obviously this is a kernel bug and deserves to be fixed, but no more so than
> any other kernel bug, and in fact this bug seems far less important than most.

That was my thought.  In my opinion, anything that requires root access to
exploit doesn't constitute a security issue, since someone with root
privvies can do whatever they want anyway, by definition.

It looks as if MoKB has an axe to grind ... I expect we'll see a lot more
exaggerated "security problems" come out of them before November is over ...

Thanks for the feedback, Colin.

Bill Moran
Collaborative Fusion Inc.

IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to