[OpenAFS] When to publish security advisories?

Gary Buhrmaster gary.buhrmaster@gmail.com
Fri, 15 Apr 2011 19:01:30 +0000


> My proposal, going forwards, is to not produce security advisories or rel=
eases for these local denial of service attacks. Local issues that can resu=
lt in privilege escalation, or denial of service attacks that can be perfor=
med by those outside a sites infrastructure would still result in advisorie=
s.

Putting my security hat on, I think that local DOS impact
is in the eye's of the beholder.  For single user systems,
what you do to yourself is between the three of you.  For
sites that support communities of which you have to
presume at least a few compromised credentials, even
a local DOS might be significant, or require actions.  As
with all else, details matter (if anyone can do it with
a `/bin/ls` it is much more potentially impactful to a site
than if it requires a full moon, high tide, and a leap second
to reproduce).

So I would suggest that even local DOS deserves advisories
(with any possible mitigations/workarounds), but not a
software release/patch (i.e. "addressed in a future release").

Gary