On Wed, 20 May 2009 17:29:54 +0200, Nico Golde wrote: > Hi, > * Michael Gilbert <[email protected]> [2009-05-20 17:21]: > > Author: gilbert-guest > > Date: 2009-05-20 15:16:19 +0000 (Wed, 20 May 2009) > > New Revision: 11940 > > > > Modified: > > data/CVE/list > > Log: > > is disregard the best course of action for weaknesses in security hardening > > features (e.g. memcached issue)? > > > > > > Modified: data/CVE/list > > =================================================================== > > --- data/CVE/list 2009-05-20 15:04:06 UTC (rev 11939) > > +++ data/CVE/list 2009-05-20 15:16:19 UTC (rev 11940) > > @@ -1325,6 +1325,9 @@ > > [etch] - memcachedb <no-dsa> (Minor issue) > > [lenny] - memcachedb <no-dsa> (Minor issue) > > [squeeze] - memcachedb <no-dsa> (Minor issue) > > + NOTE: why are weaknesses in security hardening features like ASLR > > considered minor? > > + NOTE: even though this is not directly a vulnerability itself, part of > > this application's armor is now missing; making it easier for unknown > > vulnerabilities to be effective. > > + TODO: reevaluate debian's position on weaknesses in security hardening > > features > > Do you honestly think anyone is starting a discussion with > you via NOTEs? If you want to discuss things, start a thread > on the mailing list rather than putting notes in the CVE > list. Besides that I guess whoever tagged that as a minor > issue didn't do so because of defeating ASLR with this bug > but because it's a bad idea to run memcached in untrusted > environments with the port open to the outside world.
ok _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
