lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40BDC6FE.6060907@onryou.com>
Date: Wed, 02 Jun 2004 08:24:30 -0400
From: Cory Donnelly <lists2@...you.com>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org, security@...ian.org
Subject: Re: RS-2004-1: SquirrelMail "Content-Type" XSS
 vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt Zimmerman wrote:
> Such vendors/developers are doing a their users and the community a
> disservice.  Proper public disclosure of vulnerabilities requires very
> little effort on their part; there is no good reason to conceal
> information this way.  There is no need to contact every downstream
> vendor directly; they monitor the usual channels.

- From the shortsighted developer's perspective there are *plenty* of very
compelling reasons to discreetly fix vulnerabilities.

A developer may be wary of losing his/her job should management learn of
the gaff.

A developer's pride may prevent him/her from notifying the appropriate
folks in his/her organization.

A developer may not realize the seriousness of a vulnerability (or may
fix it accidentally).

Management may pressure the developer to keep the changelog positive,
using the argument that all documentation associated with their software
must go through the PR department.

Obviously the world would be a better place if these disclosures were
made (and made consistently), but there are plenty of good reasons
(depending on perspective) to keep quiet about bug fixes.

Regardless, we've strayed off-topic -- Roman's original point about how
backporting security patches to debian-stable only works when
debian-stable backporters are aware of vulnerabilities is absolutely
correct.

take care,

Cory
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAvcb+okBdAgPGOhURAsr6AKC9Tii2d3A1YxE+YEH49UULnTjywQCfdYnF
9ZpToiNm++VzwFH8IvLNBDw=
=/P6/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ