| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Feb 2011 13:40:47 -0500 From: Charles Morris <cmorris@...odu.edu> To: Valdis.Kletnieks@...edu Cc: full-disclosure@...ts.grok.org.uk, "Zach C." <fxchip@...il.com> Subject: Re: Vulnerability in reCAPTCHA for Drupal >> It is my personal belief that all vulnerabilities should be patched >> regardless of existence of a known attack vector or exploit. > > Let me fix that for you: > > All vulnerabilities should be evaluated as to whether patching them > makes sense. If it's a one-liner fix for a stupid logic error, yes > it probably should be patched whether or not there's a known exploit. > ... > > So yes, evaluation is needed. But patching it may not make any realistic > sense, depending on the nature of the issue and who is potentially affected. > I agree Valdis, and I personally used shatter when it was popularized.. resulting in tons of fun here at the university with my colleagues. However, I'm simply stating a belief in a more abstract sense, I agree beliefs are not always realistic, but personally I /do/ make that guarantee whenever I write a piece of code. I am very aware I must compromise this belief when working in the market, like most of my other beliefs and morals, and I do so daily. Then I go home and cry myself to sleep. Charles _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists