| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat Sep 10 15:46:42 2005 From: wari00 at gmail.com (Roberto Gomez BolaƱos) Subject: Mozilla Firefox "Host:" Buffer Overflow And how exactly do you propose to "leave out the details and PoC" when the presence of the bug and the steps taken to fix it can not be concelaed from public view given that the source code and the entire CVS entries are freely available for anyone to browse? Mozilla users are getting the consideration they deserve. They deserve to know what code they are running whenver the feel like doing so and to know what the mozilla team is doing with the code. That's probably one of the reasons why they run Firefox in the first place (but not necesarily the only or more important one). The proposal for obscurity serves well closed-source innitiatives and development processes that have limited or no public visibility but it fails in the presence of OSS. The "responsible disclosure" advocates act as if Linux,*BSD,Mozilla and a zillion other open source projects did not exist in reality. Perhaps what was needed was to report the IE and SP2 vulnerabilities in a similar fashion and not the opposite, but alas the reported probably did not want the MSRC meat-grinding PR machinery going after him. ---- Two interesting points: 1) It took several minutes and more browsing elsewhere (in Bugzilla) before my browser blew up after testing the POC. 2) When you reported a "Windows XP SP2 IE 6.0 Vulnerability" (http://security-protocols.com/modules.php?name=News&file=article&sid=2891) and a "Windows XP SP2 Remote Kernel DoS" (http://security-protocols.com/modules.php?name=News&file=article&sid=2783) you left the details of the bug and the POC out. Personally, I generally approve of that, but why don't Mozilla users deserve as much consideration? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer@...fdavis.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050909/634f585a/attachment.html
Powered by blists - more mailing lists