lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: guninski at guninski.com (Georgi Guninski)
Subject: Re: Vulnerability Disclosure Debate

cc'ing parties to take part in the discussion.
Sure it is understandable for vendors to want some time to fix the crap, but the 
OIS crap is too much sh*t for me.
Once again, from personal experience, open source seems to give credit 
regardless of going public with no patch.

georgi

Steven M. Christey wrote:
> Georgi Guninski said:
> 
>>From personal experience with losers like m$ and on the other hand
> 
>>open source camp, your statement is completely wrong.  Personally
>>don't see any open source in the OIS crap.
> 
> 
> Red Hat security advisory RHSA-2003:245 says that "Red Hat would like
> to thank Wojciech Purczynski and Janusz Niewiadomski of ISEC Security
> Research for their responsible disclosure of this issue."
> 
> The security release for Apache 2.0.47 says "The Apache Software
> Foundation would like to thank Saheed Akhtar and Yoshioka Tsuneo for
> the responsible reporting of two of these issues."
> 
> Neither of these are the first instance for the associate software.
> 
> To a recent non-vendor announcement for a man-db vulnerability, Colin
> Watson of Debian responded "Thank you for reporting these
> vulnerabilities in man-db. However, I'm disappointed that you neither
> informed me a little beforehand so that I wasn't taken by surprise by
> your BugTraq post (preferable), nor sent a copy of your report to me
> as the maintainer of man-db (which I would regard as the minimum of
> common courtesy)."
> 
> We see those types of followups pretty consistently.
> 
> A recent Netfilter security advisory discusses a vulnerability in
> CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC capabilities, but it does
> not give sufficient details to know what the bug is; maybe it's an
> integer signedness error, but it's not entirely clear.
> 
> A recent advisory for the DCERPC dissector in Ethereal 0.9.12 only
> said that memory consumption was the result using some "unknown" NDR
> string.
> 
> Security advisories for the Linux kernel frequently include a
> security-related fix for an "oops" with no additional details.
> 
> A recent security advisory for Nessus said "there are some flaws in
> libnasl" and provided no additional details.  It later includes some
> specifics about issues found by Sir Mordred, but then states "we fixed
> similar issues in other nasl functions as well as in libnessus" but
> provides no additional details.
> 
> Whether open source organizations are a formal part of OIS or not, at
> least some of them are advocating some form of "responsible"
> disclosure, and some of them are intentionally (or unintentionally)
> not releasing exploit-related details, even if they are inferrable
> from diff's (and if you look at the diffs, sometimes security fixes
> aren't particularly obvious.)
> 
> - Steve
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 



Powered by blists - more mailing lists