Bug 643414 (CVE-2010-3902)
Summary: | CVE-2010-3902 OpenConnect: webvpn cookie content disclosure via debugging output | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | dwmw2, vdanen |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-12-08 16:16:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2010-10-15 14:45:01 UTC
Pfft. Is someone retrospectively filing random CVEs for every minor improvement I make in openconnect? CVE-2010-3901 made some sense as a CVE, but this is just silly. If you use the 'live http headers' plugin in Firefox, or use 'curl -v' to connect to the same VPN servers, you'll *also* see the same damn HTTP cookie. I made openconnect obscure it because users are stupid -- but I really don't think it's worthy of a CVE. Thank you, David. I have sent a mail to MITRE (and cc'd you) indicating that you are disputing this CVE assignment. I am inclined to agree with you -- if it is trivial to get the same information otherwise, than this obfuscation isn't really a security fix, but more a mechanism to keep users from unwittingly shooting themselves in the foot. Regardless, this is a bug we would like to see fixed in Fedora, so I am re-opening the bug. The security consequences are obviously disputed, but that has no bearing on the bug (other than calling it security and having a CVE name). Bug 629979 is a much better reason for me to push OpenConnect 2.26 as an update, FWIW. |