| 1 |
On 7/5/16 10:43 PM, Aaron Bauman wrote: |
| 2 |
> |
| 3 |
> That CVE request was not from Ago. It was from the respective OSS ML |
| 4 |
> referenced in the URL field of the bug report. Not to mention, you as a |
| 5 |
> maintainer were able to discover another issue with that package and fix |
| 6 |
> it. |
| 7 |
> |
| 8 |
|
| 9 |
You never bothered to follow that OSS ML link. For others reading this |
| 10 |
email, here is the link: |
| 11 |
|
| 12 |
http://www.openwall.com/lists/oss-security/2013/02/24/5 |
| 13 |
|
| 14 |
Here's a copy of that entire email: |
| 15 |
|
| 16 |
<email> |
| 17 |
|
| 18 |
Date: Sun, 24 Feb 2013 20:00:57 +0100 |
| 19 |
From: Agostino Sarubbo <ago@××××××.org> |
| 20 |
To: oss-security@××××××××××××××.com |
| 21 |
Subject: CVE request: monkeyd world-readable logdir |
| 22 |
|
| 23 |
Monkeyd, a small, fast, and scalable web server, produces, at least on |
| 24 |
gentoo a world-readable log. |
| 25 |
|
| 26 |
# ls /var/log/monkeyd/master.log -la |
| 27 |
-rw-r--r-- 1 root root 0 Feb 24 19:56 /var/log/monkeyd/master.log |
| 28 |
|
| 29 |
Upstream site: http://www.monkey-project.com/ |
| 30 |
|
| 31 |
-- |
| 32 |
Agostino Sarubbo |
| 33 |
Gentoo Linux Developer |
| 34 |
|
| 35 |
</email> |
| 36 |
|
| 37 |
|
| 38 |
That is what you p.masked on. That's it. Neither you nor Ago really |
| 39 |
understood the issue with monkeyd's logging. There were no followup |
| 40 |
emails and no CVE was assigned. Its junk. |
| 41 |
|
| 42 |
By both initiating and following through on such low quality bugs, you |
| 43 |
are damaging the reputation of the security project. |
| 44 |
|
| 45 |
|
| 46 |
>> I personally would like to see only QA oversee any forced p.maskings and |
| 47 |
>> have the security team pass that task over to QA for review. By forced |
| 48 |
>> I mean without the cooperation of the maintainer. |
| 49 |
>> |
| 50 |
> |
| 51 |
> Again, no one else has had an issue with this except you. The one who |
| 52 |
> doesn't want to cooperate. |
| 53 |
|
| 54 |
Having people review your work is a good idea, no? So in cases where |
| 55 |
security wants to touch a packages, why not ping the maintainer first |
| 56 |
and in case of a dispute or no response, escalate the issue to QA who |
| 57 |
will review the problem and act. |
| 58 |
|
| 59 |
Are you okay with this change in procedure? |
| 60 |
|
| 61 |
|
| 62 |
-- |
| 63 |
Anthony G. Basile, Ph. D. |
| 64 |
Chair of Information Technology |
| 65 |
D'Youville College |
| 66 |
Buffalo, NY 14201 |
| 67 |
(716) 829-8197 |
Archives