[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press again...



Michael Stone wrote:
> ...
>> There certainly have been exceptions to that rule.  The maintainer of
>> shorewall has been trying for weeks to get a DSA issued about a
>> vulnerability, and it seems we have to convince Joey that it *is* a
>> vulnerability before he'll issue it.
> ...
> 
> I disagree that convincing the security team of the severity of a bug is
> unreasonable.

I didn't suggest that it was a severe bug (although those who actually
use MAC lists with their firewall might disagree with me there).

Are you suggesting that because it's not a high risk security flaw, it's
still on the "to do" list of the security team, just at lower priority?

> I also disagree with the characterization that much effort
> has been put into describing the bug.

I don't know upon what you're basing your characterization, but i'm
party to at least 3 emails to Joey describing the nature of the bug in
sufficient detail to understand it as a security flaw.  It is not
present in the default configuration of the product, and it doesn't
apply if you don't use MAC lists, but it's still a security vulnerability.

-- 
Paul
<http://paulgear.webhop.net>
--
Did you know?  Email addresses can be forged easily.  This message is
signed with GNU Privacy Guard <http://www.gnupg.org> and Enigmail
<http://enigmail.mozdev.org> so you can be sure it comes from me.

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: