On Tue, Feb 01, 2011 at 02:20:14PM +0800, Thomas Goirand wrote:
> If you really think that there's some root exploit in any package, you
> should contact the security team AND the upstream author (myself in this
> case) *privately* to warn them about the issue, so a fix can be
> published before disclosing. If you were from outside Debian, I would
> understand that you don't know it. But as a DD for many years, I think
> this is a quite non-responsible behavior to just send this as a public
> bug. Please try to remember this next time.
No. I'm doing public disclosure since years. Especially as this bug does
not describe anything new, the author even documented it in the source.
> On 02/01/2011 06:17 AM, Bastian Blank wrote:
> > dtc-xen includes several command executions as root that uses unchecked
> > user input in dtc-soap-server.
> In the logic behind DTC and DTC-Xen, you shouldn't grant access to the
> SOAP daemon to a user you do not trust. In other words, nobody should be
> able to do what you write above. Parameters consistency checks are made
> on the web interface side. So I wont consider what you reported above as
> a security issue and RC bug.
The daemon authenticates users, explicitely, not a given web frontend.
So it is designed to be reacheable by users.
Bastian
--
Time is fluid ... like a river with currents, eddies, backwash.
-- Spock, "The City on the Edge of Forever", stardate 3134.0
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
