Nico Golde wrote: > Besides that I guess whoever tagged that as a minor > issue didn't do so because of defeating ASLR with this bug > but because it's a bad idea to run memcached in untrusted > environments with the port open to the outside world.
i don't want to get into an argument, but i completely disagree. the core of this CVE is the fact that ASLR is bypassed. and if the tcp port is open by default (and i don't know if it is because i haven't checked), then that is how 99.9% of users are going to run it. of course most sites will have a firewall to the external world, but you can't assume that this is the case (in fact, you should always assume that the user that you are trying to protect is in the worst-case scenario), and it's possible for an intruder to be inside the firewall either via another vulnerability on another system, a misconnected cable, or by physical presence. i think NOTEs are a somewhat reasonable place to discuss conflicts of opinion because it is centralized, connected to the issue at hand, and the people that triage security issues will come across the discussion/philosophy, have to think about it, and make a decision. and finally, it's easy enough to change the text once that decision is made. however, if the consensus is that this is bad, then i will stop. ultimately, perhaps the core problem here is that the security tracker provides no means to allow dissenting/conflicting opinion. note that dissenting opinions in US Supreme Court decisions are just as important as the confirming opinions, and are used as the bases for decisions in all future cases in US courts. best regards, mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
