[Secure-testing-commits] r11659 - data/CVE
Michael Gilbert
gilbert-guest at alioth.debian.org
Mon Apr 20 03:02:19 UTC 2009
Author: gilbert-guest
Date: 2009-04-20 03:02:19 +0000 (Mon, 20 Apr 2009)
New Revision: 11659
Modified:
data/CVE/list
Log:
reassigning login flaw to sysvinit (following change in bug report) and expanded on philosphy so others can contemplate impact/severity of this issue
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-04-20 02:52:54 UTC (rev 11658)
+++ data/CVE/list 2009-04-20 03:02:19 UTC (rev 11659)
@@ -2721,10 +2721,15 @@
[etch] - thunar <no-dsa> (Minor issue)
[lenny] - thunar <no-dsa> (Minor issue)
NOTE: CVE needs to be requested
-CVE-2009-XXXX [debian-installer: no-root option in expert installer exposes locally exploitable security flaw]
- - debian-installer <unfixed> (bug #517018; unimportant)
+CVE-2009-XXXX [sysvinit: no-root option in expert installer exposes locally exploitable security flaw]
+ - sysvinit <unfixed> (bug #517018; unimportant)
NOTE: hardly a security issue, if an attacker has local access to the machine and you
NOTE: don't use encryption or something similar you have lost anyway
+ NOTE: - this ^ philosophy is flawed; it should not be trivial to get root just because you
+ NOTE: have local access to the machine. it is worth it to make it as difficult as
+ NOTE: possible without impacting authorized users. otherwise, why spend so much effort
+ NOTE: to make sure xscreensaver, gdm, and login are rock solid?
+ NOTE: - i would like to track as low, rather than unimportant
NOTE: should a CVE be requested for this problem?
CVE-2009-0753 (Absolute path traversal vulnerability in MLDonkey 2.8.4 through 2.9.7 ...)
{DSA-1739-1}
More information about the Secure-testing-commits
mailing list