[Pkg-monitoring-maintainers] Bug#760372: Bug#760372: Bug#760372: loganalyzer: CVE-2014-6070
Salvatore Bonaccorso
carnil at debian.org
Sat Sep 6 19:06:45 UTC 2014
Hi Daniel,
On Wed, Sep 03, 2014 at 02:05:53PM +0200, Daniel Pocock wrote:
> Salvatore, I'd prefer to update the package closer to the freeze and
> roll up any other changes in a single release.
Personal opinion: having a fix sooner in testing would be preferable.
Thiw way the whole package would recieve more testing already before
the freeze.
> People should not be making LogAnalyzer available to the world,
> especially without additional access controls (HTTP authentication) so
> that provides some protection against flaws that do exist in this product.
>
> How would the security team feel if this package was classified in a
> similar way to the ganglia-web package, e.g. security alerts are not RC
> bugs and users advised to protect the URL with the webserver?
It is hard to prevent a syslog analysis tool from processing data from
untrusted sources. Releasing the package mentioning such a restriction
to security support does somehow not make sense, considering the
intended use of the package.
In the concrete instance of
http://seclists.org/fulldisclosure/2014/Sep/17, a malicious syslog
client, by setting an appropriate hostname could perform a XSS
injection, even if the loganalyzer instance would be secured with
additional access controls. Is this correct and do you agree?
Regards,
Salvatore
More information about the Pkg-monitoring-maintainers
mailing list