| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: coley at mitre.org (Steven M. Christey) Subject: Re: Vulnerability Disclosure Debate Georgi Guninski said: >From personal experience with losers like m$ and on the other hand >open source camp, your statement is completely wrong. Personally >don't see any open source in the OIS crap. Red Hat security advisory RHSA-2003:245 says that "Red Hat would like to thank Wojciech Purczynski and Janusz Niewiadomski of ISEC Security Research for their responsible disclosure of this issue." The security release for Apache 2.0.47 says "The Apache Software Foundation would like to thank Saheed Akhtar and Yoshioka Tsuneo for the responsible reporting of two of these issues." Neither of these are the first instance for the associate software. To a recent non-vendor announcement for a man-db vulnerability, Colin Watson of Debian responded "Thank you for reporting these vulnerabilities in man-db. However, I'm disappointed that you neither informed me a little beforehand so that I wasn't taken by surprise by your BugTraq post (preferable), nor sent a copy of your report to me as the maintainer of man-db (which I would regard as the minimum of common courtesy)." We see those types of followups pretty consistently. A recent Netfilter security advisory discusses a vulnerability in CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC capabilities, but it does not give sufficient details to know what the bug is; maybe it's an integer signedness error, but it's not entirely clear. A recent advisory for the DCERPC dissector in Ethereal 0.9.12 only said that memory consumption was the result using some "unknown" NDR string. Security advisories for the Linux kernel frequently include a security-related fix for an "oops" with no additional details. A recent security advisory for Nessus said "there are some flaws in libnasl" and provided no additional details. It later includes some specifics about issues found by Sir Mordred, but then states "we fixed similar issues in other nasl functions as well as in libnessus" but provides no additional details. Whether open source organizations are a formal part of OIS or not, at least some of them are advocating some form of "responsible" disclosure, and some of them are intentionally (or unintentionally) not releasing exploit-related details, even if they are inferrable from diff's (and if you look at the diffs, sometimes security fixes aren't particularly obvious.) - Steve
Powered by blists - more mailing lists