|
|
Christian Biere wrote:
> Is this really a security issue? In a way it certainly is. However, others
> like
> FreeBSD - and OpenBSD I think too - handle these kind of bugs merely as
> "errata".
> In other words, they don't consider local denial of service attacks - which
> are
> even unavoidable on a bug-free system anyway - not worth a security advisory.
> At least, that's how I understand "handling this as security issue".
This is NetBSD.
> Correct me if I'm wrong, but in this case, the panic occurs only if DIAGNOSTIC
> is enabled which is not the case in any GENERIC kernels.
Irrelevant.
> For example, I have reported similar issues in the past. On the one hand, some
> of these have (rather recently) be considered worthy formal security
> advisories. On the other hand, very similar issues were handled like normal
> bugs. Further, I have an open PR in the same domain which causes a local DoS
> as
> well and/or a panic. I'd think publishing an advisory whilst one of these is
> still open is even less useful.
I caught that just because I was looking at recent PRs. If you have any
PRs you've opened in the past, assign them to yourself and take a look
at them.
As for what justifies an advisory or not... ask security-officer.
-e.
--
Elad Efrat
|
|