Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request: Debian's package "mysql-server" leaks credential information
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Sat, 08 Jun 2013 13:28:28 -0400

On 06/08/2013 07:00 AM, gremlin () gremlin ru wrote:

That's not a security issue, but a misconfiguration

I consider this a security bug in the debian package's maintainer
scripts: it is a race condition that leaks confidential information to a
user who "wins" the race.  It is *not* a misconfiguration; it is a bug
with security implications.

(alas, very common for Deb*an packages)

If you know of more bugs like this, please report them with an e-mail to
submit () bugs debian org with the first line "Package: FOO" (where "FOO"
is replaced by the name of the buggy package).  Thanks!

so at least I doubt that deserves a CVE.

I respectfully disagree; if an upstream package leaks confidential
information to an adversary who "wins" a race, that is a bug which
deserves a CVE.  Debian packaging bugs should be held to the same standard.


        --dkg (i am a member of the debian project)

Attachment: signature.asc
Description: OpenPGP digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]