[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press again...



On Tue, Aug 30, 2005 at 06:48:07AM +1000, Paul Gear wrote:
If we're going to have another crack at it, then, what track should we
take?  Reopen the bug as Florian suggested, email the security team,
just keep pestering Joey?

Contact the security team. Describe the bug in such a way that the
security team understands its severity and impact. It is not sufficient
to say "just trust me and issue an advisory". From what I've seen so far
this is not the obvious buffer overflow sort of bug, it's a configured
behavior which deviates from some documented expectation. The question,
then, is how that deviation occurs, what the documented expectation is,
and (most importantly for stable) is there any chance that someone might
be relying on the implemented behavior rather than the documented
behavior.

interested in blame-casting - i just want to see the 222 people who
actually use Shorewall on Debian [1] informed about the possibility that
something could be bypassing their carefully-crafted firewall rules!

ISTM that this is something that they'd notice pretty quick after
testing their rules (or so I guess, since I'm still not entirely clear
about the nature of the bug). And that's the troublesome thing--if it's
an option that nobody uses it's not a big deal, right? But if it is
something someone uses, which they've presumably tested, then there's a
good chance it's working they way they want it to, even if that's not
how it was intended. Without more of an explanation of what's going on,
I'm just guessing.

If the security team does issue an advisory, this is the sort of
examination that needs to happen before writing the text of the
advisory, including possible impacts or changes in behavior. That is why
it is *not* sufficient to simply issue advisories without understanding
what is being issued. To answer your implied question earlier in the
thread, yes, someone from the security team has to "*try* to understand
every security bug". It's not a mechanical process, and our users
presumably expect that we know what we're sending when we issue an
advisory. I'd love if the whole process could be implemented in a simple
script, it would really cut down on the amount of time this security
stuff takes up.

Mike Stone



Reply to: