oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Questionable CVE's reported against dnsmasq

From: Peter Gutmann <pgut001 () cs auckland ac nz>
Date: Mon, 3 Nov 2025 12:53:31 +0000
Russ Allbery <eagle () eyrie org> writes:


This is a bit of an "ask the Lazyweb" question since I have done only minimal
research, but is there any way for me to declare, as the software maintainer,
what I consider to be the security boundaries of the software in a way that
can be at least partially machine-readable?


Even before getting into that, how do you document that people shouldn't do
certain things with their config files, or by extension which bits are inside
and outside the security boundary?  "If an unauthorised party can modify your
config files then bad things can happen" seems redundant, "We take no
responsibility for what happens if you fail to take unspecified steps to
secure your config files" might be correct but will be perceived as blame-the-
victim... how do you document this for users?

Peter.
Previous By Date Next
Previous By Thread Next

Current thread: