Michael Stone wrote: > ... >> There certainly have been exceptions to that rule. The maintainer of >> shorewall has been trying for weeks to get a DSA issued about a >> vulnerability, and it seems we have to convince Joey that it *is* a >> vulnerability before he'll issue it. > ... > > I disagree that convincing the security team of the severity of a bug is > unreasonable. I didn't suggest that it was a severe bug (although those who actually use MAC lists with their firewall might disagree with me there). Are you suggesting that because it's not a high risk security flaw, it's still on the "to do" list of the security team, just at lower priority? > I also disagree with the characterization that much effort > has been put into describing the bug. I don't know upon what you're basing your characterization, but i'm party to at least 3 emails to Joey describing the nature of the bug in sufficient detail to understand it as a security flaw. It is not present in the default configuration of the product, and it doesn't apply if you don't use MAC lists, but it's still a security vulnerability. -- Paul <http://paulgear.webhop.net> -- Did you know? Email addresses can be forged easily. This message is signed with GNU Privacy Guard <http://www.gnupg.org> and Enigmail <http://enigmail.mozdev.org> so you can be sure it comes from me.
Attachment:
signature.asc
Description: OpenPGP digital signature