Re: Security release criterion proposal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Wed, May 18, 2011 at 08:57:17 -0700,
  Adam Williamson <awilliam@xxxxxxxxxx> wrote:
> # There must be no known remote code execution vulnerability which could
> be exploited during installation or during use of a live image shipped
> with the release
> Points to consider:

I think there may be some remote exploits that we wouldn't want to block
for. For example if wesnoth turns out to be vulnerable to the game server
or one of the other clients, I don't thank is something we'd want to block for.
If firefox was vulnerable to web pages you visit being able to execute
unsandboxed code, then I feel it's a close call.

I'd prefer not to limit remote code execution to just root. User data
and network bandwidth are valuable. Then we also need to worry about local
root exploits being used in combination with non-root remote code exploits.

I think it is also worth considering whether the exploits are really
exploitable with our default configuration (selinux in enforcing mode).
security mailing list

[Home]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Red Hat 9 Bible]     [Fedora Bible]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Coolkey]     [Fedora Tools]

Powered by Linux