1 |
On 7/5/16 10:43 PM, Aaron Bauman wrote: |
2 |
> |
3 |
> That CVE request was not from Ago. It was from the respective OSS ML |
4 |
> referenced in the URL field of the bug report. Not to mention, you as a |
5 |
> maintainer were able to discover another issue with that package and fix |
6 |
> it. |
7 |
> |
8 |
|
9 |
You never bothered to follow that OSS ML link. For others reading this |
10 |
email, here is the link: |
11 |
|
12 |
http://www.openwall.com/lists/oss-security/2013/02/24/5 |
13 |
|
14 |
Here's a copy of that entire email: |
15 |
|
16 |
<email> |
17 |
|
18 |
Date: Sun, 24 Feb 2013 20:00:57 +0100 |
19 |
From: Agostino Sarubbo <ago@××××××.org> |
20 |
To: oss-security@××××××××××××××.com |
21 |
Subject: CVE request: monkeyd world-readable logdir |
22 |
|
23 |
Monkeyd, a small, fast, and scalable web server, produces, at least on |
24 |
gentoo a world-readable log. |
25 |
|
26 |
# ls /var/log/monkeyd/master.log -la |
27 |
-rw-r--r-- 1 root root 0 Feb 24 19:56 /var/log/monkeyd/master.log |
28 |
|
29 |
Upstream site: http://www.monkey-project.com/ |
30 |
|
31 |
-- |
32 |
Agostino Sarubbo |
33 |
Gentoo Linux Developer |
34 |
|
35 |
</email> |
36 |
|
37 |
|
38 |
That is what you p.masked on. That's it. Neither you nor Ago really |
39 |
understood the issue with monkeyd's logging. There were no followup |
40 |
emails and no CVE was assigned. Its junk. |
41 |
|
42 |
By both initiating and following through on such low quality bugs, you |
43 |
are damaging the reputation of the security project. |
44 |
|
45 |
|
46 |
>> I personally would like to see only QA oversee any forced p.maskings and |
47 |
>> have the security team pass that task over to QA for review. By forced |
48 |
>> I mean without the cooperation of the maintainer. |
49 |
>> |
50 |
> |
51 |
> Again, no one else has had an issue with this except you. The one who |
52 |
> doesn't want to cooperate. |
53 |
|
54 |
Having people review your work is a good idea, no? So in cases where |
55 |
security wants to touch a packages, why not ping the maintainer first |
56 |
and in case of a dispute or no response, escalate the issue to QA who |
57 |
will review the problem and act. |
58 |
|
59 |
Are you okay with this change in procedure? |
60 |
|
61 |
|
62 |
-- |
63 |
Anthony G. Basile, Ph. D. |
64 |
Chair of Information Technology |
65 |
D'Youville College |
66 |
Buffalo, NY 14201 |
67 |
(716) 829-8197 |