oss-sec mailing list archives
Re: Question about CVE for X!! DoS
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 05 Jul 2013 20:22:02 -0700
On 07/ 5/13 01:50 PM, Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://lists.opensuse.org/opensuse-updates/2013-07/msg00023.html https://bugzilla.novell.com/show_bug.cgi?id=815583 Lists no CVE? I assume it needs one, or did upstream handle this?
Upstream discussion, including reps from both Red Hat & SuSE, determined it didn't need a CVE, since it can only be triggered by a client authorized to connect to the Xserver (via xauth, xhost, etc.) and such a client, by design, can lock all other clients out from the server, kill clients, etc. It would be like wanting a CVE for the fact that another process running under your UID can kill your process. Not sure why SuSE decided to go ahead and release it as a security fix anyway - it's certainly a bug fix though. -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - http://blogs.oracle.com/alanc
Current thread:
- Question about CVE for X!! DoS Kurt Seifried (Jul 05)
- Re: Question about CVE for X!! DoS Julien Cristau (Jul 05)
- Re: Question about CVE for X!! DoS Alan Coopersmith (Jul 05)
- Re: Question about CVE for X!! DoS Kurt Seifried (Jul 05)
- Re: [security () suse de] Re: [oss-security] Question about CVE for X!! DoS Marcus Meissner (Jul 09)
- Re: Question about CVE for X!! DoS Kurt Seifried (Jul 05)