lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 13 Apr 2012 17:05:31 +0100
From: Jamie Riden <jamie.riden@...il.com>
To: Adam Behnke <adam@...osecinstitute.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Erronous post concerning Backtrack 5 R2 0day

On 12 April 2012 21:51, Adam Behnke <adam@...osecinstitute.com> wrote:
> Yesterday I made a post concerning a 0day advisory in Backtrack 5 R2:
> http://seclists.org/fulldisclosure/2012/Apr/123
>
> The posting was incorrect, the vulnerability was NOT in Backtrack but in
> wicd, no Backtrack contributed code is vulnerable. When we tweeted and
> emailed to mailing lists the notifications of this vulnerability, we
> incorrectly shortened the title and called it "Backtrack 5 R2 priv
> escalation 0day ", which is misleading and could lead people to believe the
> bug was actually in Backtrack. The bug has always resided in wicd and not in
> any Backtrack team written code. We apologize for the confusion to the
> Backtrack team and any other persons affected by this error. We feel the
> Backtrack distro is a great piece of software and wish muts and the rest of
> the team the best.

I think some of this kerfuffle could have been avoided if the
backtrack (or wicd) team had been contacted for a response prior to
releasing the bug, as you would expect during a responsible disclosure
process (e.g. see RFPolicy, or just common sense). It would have then
been fairly obvious about who owned the bug, as it were.

It's not an uninteresting issue, but let's follow process a bit better
next please? Better for everyone involved.

cheers,
 Jamie
-- 
Jamie Riden / jamie@...eynet.org / jamie.riden@...il.com
http://uk.linkedin.com/in/jamieriden

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ