lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0603231528290.14996@dione>
Date: Thu, 23 Mar 2006 15:53:42 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: bugtraq@...urityfocus.com
Cc: funsec@...uxbox.org
Subject: Re: sendmail vuln advisories (CVE-2006-0058)


On Wed, 22 Mar 2006, Marc Bejarano wrote:

> a security vulnerability [...] certain versions [...] under some
> specific timing conditions [...] a specifically crafted attack [...]
> when specific conditions [...] within certain operating system
> architectures [...] certain timing conditions [...] theoretical
> vulnerability [...] specific email payload [...] specific network
> programming skills [...] very specific conditions.

As with many advisories released these days, this announcement contains
almost no vulnerability information other than repetitive, vague mentions
of a "very specific" threat, and a notification that a nondescript patch
is available.

So be it - although I do not subscribe to responsible (limited and overly
delayed) disclosure policies (because they greatly benefit the vendor -
the party at fault - and limit the acceptable behavior of the researcher;
and because they effectively stop independent research into, validation
of, and fixing of, existing flaws)... but OK, this approach is favored by
all the powers to be, no point in starting a flame war.

But isn't it hilarious that this particular advisory is not from a closed
source vendor; but rather, for an open source product - and diffs are
available on the net?

So what's the point of maintaining this writing style, other than making
folks who have legitimate uses for a more detailed information feel
miserable?

/mz


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ