lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 3 May 2006 12:52:24 +0300
From: Michael Shigorin <mike@...n.org.ua>
To: David Litchfield <davidl@...software.com>
Cc: bugtraq@...urityfocus.com
Subject: foreseeing (cough) critical problems futile? (was: Oracle, where are the patches???)


On Tue, May 02, 2006 at 04:10:27PM +0100, David Litchfield wrote:
> That's what good regular patches allow me to do. The benefits
> are absolutely clear.  There are two major problems that can
> cause these benefits to evaporate into thin air, however. 
> 1) Late Patches
> 2) Re-issued Patches

3) Artificially late patches -- those which could be made
available ahead of usual schedule to reduce vulnerability window.

I guess regular approach is OK for low-to-moderate but guarantees
enough additional headache for critical updates.  After all, it's
only vendor-found ones that can wait, and that's not exactly
"responsible" too since nobody can tell for sure the particular
problem isn't already known out there.

-- 
 ---- WBR, Michael Shigorin <mike@...linux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ