| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Mar 2006 15:53:42 +0100 (CET) From: Michal Zalewski <lcamtuf@...ne.ids.pl> To: bugtraq@...urityfocus.com Cc: funsec@...uxbox.org Subject: Re: sendmail vuln advisories (CVE-2006-0058) On Wed, 22 Mar 2006, Marc Bejarano wrote: > a security vulnerability [...] certain versions [...] under some > specific timing conditions [...] a specifically crafted attack [...] > when specific conditions [...] within certain operating system > architectures [...] certain timing conditions [...] theoretical > vulnerability [...] specific email payload [...] specific network > programming skills [...] very specific conditions. As with many advisories released these days, this announcement contains almost no vulnerability information other than repetitive, vague mentions of a "very specific" threat, and a notification that a nondescript patch is available. So be it - although I do not subscribe to responsible (limited and overly delayed) disclosure policies (because they greatly benefit the vendor - the party at fault - and limit the acceptable behavior of the researcher; and because they effectively stop independent research into, validation of, and fixing of, existing flaws)... but OK, this approach is favored by all the powers to be, no point in starting a flame war. But isn't it hilarious that this particular advisory is not from a closed source vendor; but rather, for an open source product - and diffs are available on the net? So what's the point of maintaining this writing style, other than making folks who have legitimate uses for a more detailed information feel miserable? /mz
Powered by blists - more mailing lists