Hi, * Michael Gilbert <[email protected]> [2009-05-20 17:21]: > Author: gilbert-guest > Date: 2009-05-20 15:16:19 +0000 (Wed, 20 May 2009) > New Revision: 11940 > > Modified: > data/CVE/list > Log: > is disregard the best course of action for weaknesses in security hardening > features (e.g. memcached issue)? > > > Modified: data/CVE/list > =================================================================== > --- data/CVE/list 2009-05-20 15:04:06 UTC (rev 11939) > +++ data/CVE/list 2009-05-20 15:16:19 UTC (rev 11940) > @@ -1325,6 +1325,9 @@ > [etch] - memcachedb <no-dsa> (Minor issue) > [lenny] - memcachedb <no-dsa> (Minor issue) > [squeeze] - memcachedb <no-dsa> (Minor issue) > + NOTE: why are weaknesses in security hardening features like ASLR > considered minor? > + NOTE: even though this is not directly a vulnerability itself, part of > this application's armor is now missing; making it easier for unknown > vulnerabilities to be effective. > + TODO: reevaluate debian's position on weaknesses in security hardening > features
Do you honestly think anyone is starting a discussion with you via NOTEs? If you want to discuss things, start a thread on the mailing list rather than putting notes in the CVE list. Besides that I guess whoever tagged that as a minor issue didn't do so because of defeating ASLR with this bug but because it's a bad idea to run memcached in untrusted environments with the port open to the outside world. Cheers Nico -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpy9s1rtiNA4.pgp
Description: PGP signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
