Re: FreeBSD UFS vulnerability: Is NIST off its medication, or am I missing something?
In response to Colin Percival [EMAIL PROTECTED]: Bill Moran wrote: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5824 Following the links around, it seems that you would have to mount a corrupt or malicious filesystem in order to exploit this vulnerability. Yes, NIST claims there is no authentication required to exploit? Are new versions of FreeBSD suddenly allowing unauthenticated users to mount filesystems by default? If so, something's wrong with my 6.1 workstation! It seems like this is the 2nd or 3rd vulnerability I've seen that's been blown out of proportion by NIST, or am I missing something? CVE names are assigned, and NIST creates an entry in its database, whenever someone claims that a security problem exists; their purpose is to provide a consistent name for whatever people are talking about, not to decide what exactly constitutes a security issue (as I explained in my BSDCan'06 paper, different vendors have many different policies about what constitute security issues). In this case (and another very similar bug found by the MoKB people), the FreeBSD security team has no intention to handle the bug as a security issue; obviously this is a kernel bug and deserves to be fixed, but no more so than any other kernel bug, and in fact this bug seems far less important than most. That was my thought. In my opinion, anything that requires root access to exploit doesn't constitute a security issue, since someone with root privvies can do whatever they want anyway, by definition. It looks as if MoKB has an axe to grind ... I expect we'll see a lot more exaggerated security problems come out of them before November is over ... Thanks for the feedback, Colin. -- Bill Moran Collaborative Fusion Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD UFS vulnerability: Is NIST off its medication, or am I missing something?
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5824 Following the links around, it seems that you would have to mount a corrupt or malicious filesystem in order to exploit this vulnerability. Yes, NIST claims there is no authentication required to exploit? Are new versions of FreeBSD suddenly allowing unauthenticated users to mount filesystems by default? If so, something's wrong with my 6.1 workstation! It seems like this is the 2nd or 3rd vulnerability I've seen that's been blown out of proportion by NIST, or am I missing something? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD UFS vulnerability: Is NIST off its medication, or am I missing something?
Bill Moran wrote: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5824 Following the links around, it seems that you would have to mount a corrupt or malicious filesystem in order to exploit this vulnerability. Yes, NIST claims there is no authentication required to exploit? Are new versions of FreeBSD suddenly allowing unauthenticated users to mount filesystems by default? If so, something's wrong with my 6.1 workstation! It seems like this is the 2nd or 3rd vulnerability I've seen that's been blown out of proportion by NIST, or am I missing something? CVE names are assigned, and NIST creates an entry in its database, whenever someone claims that a security problem exists; their purpose is to provide a consistent name for whatever people are talking about, not to decide what exactly constitutes a security issue (as I explained in my BSDCan'06 paper, different vendors have many different policies about what constitute security issues). In this case (and another very similar bug found by the MoKB people), the FreeBSD security team has no intention to handle the bug as a security issue; obviously this is a kernel bug and deserves to be fixed, but no more so than any other kernel bug, and in fact this bug seems far less important than most. Colin Percival ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]