On Sat, Dec 29, 2012 at 5:22 PM, Henri Salo wrote: > Hello list, > > I wonder if we should remove security-tag from issue #500295? It is > tracked as TEMP-0500295-A176F7, but I do not think that this is > security vulnerability. It should also be removed from CVE/list as it > won't get CVE identifier. I do not see any practical attack vectors for > this issue. Security tracker data at the moment: > > CVE-2008-XXXX [possible script injection via /etc/wordpress/wp-config.php] > - wordpress <unfixed> (bug #500295; unimportant) > NOTE: bigger problems, if attacker has access to /etc/wordpress/*
Why not just plug in the fixed package version? > In my opinion we should not leave non-issues to tracker. My opinion is quite the opposite. Information about non-issues (i.e. the unimportant tag) is educational and demonstrates a commitment to transparency and an effort at completeness for all potential security issues. Best wishes, Mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
