> My proposal, going forwards, is to not produce security advisories or > releases for these local denial of service attacks. Local issues that can > result in privilege escalation, or denial of service attacks that can be > performed by those outside a sites infrastructure would still result in > advisories.
Putting my security hat on, I think that local DOS impact is in the eye's of the beholder. For single user systems, what you do to yourself is between the three of you. For sites that support communities of which you have to presume at least a few compromised credentials, even a local DOS might be significant, or require actions. As with all else, details matter (if anyone can do it with a `/bin/ls` it is much more potentially impactful to a site than if it requires a full moon, high tide, and a leap second to reproduce). So I would suggest that even local DOS deserves advisories (with any possible mitigations/workarounds), but not a software release/patch (i.e. "addressed in a future release"). Gary _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
