[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

pluxml issues are questionable, request for advice

Hi LTS team

I have checked two of the pluxml issues
 This vulnerability is questioned upstream. The "vulnerability" is that a user that can edit themes can update a template that allow that user to execute arbitrary code. However the complaint is that there are plenty of documentation telling the user that this functionality should exist. I would say that it is quite expected that a theme admin user can do this.
The question is how this should be marked:
- no-dsa minor issue?
- ignored?
I may have missed something since this package was added to DLA needed.

This vulnerability is questionable. The vulnerability is that an admin user can edit a configuration file and by that execute arbitrary code. I would say that this is intended behavior even though the attack vector is a little unusual and indicates that there is a fault somewhere. Upstream seems to confirm that there is a vulnerability but not very high. I find it rather unlikely that upstream will publish any update on this in a quick manner.
The question is how this should be marked.
- no-dsa minor issue?
- postponed?
Keep it as is and wait to see if something happens?

Should we have a special file for monitoring issues that may get resolved eventually? Just to not make the dla-needed file cluttered with this kind of monitor for eventual fixes?

Best regards

// Ola

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: