lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1392ef550903091151i5ebd0234r47bd5634602d2786@mail.gmail.com> Date: Mon, 9 Mar 2009 19:51:07 +0100 From: Julien Thomas <julien.thomas.1@...il.com> To: bugtraq@...urityfocus.com Subject: Re: Vulnerability CVE-2008-3671 - MyReview's vulnerability in the access control system Good Evening. After having received you're message, I checked the new version of myreview to see whether they took my pat into account (I sent them in private) or not. Unfortunately, they didn't. Besides, they didn't reply to my messages too. I've just sent them a new message in case of ... However, concerning any patch, I don't want to disclose one as I want to let the myreview developers manage that. This is due to the nature of the bugs : - incorrect configuration of the project files. Though this could be considered as an installation mistake, I think myreview developers should consider it. They can correct that with an advanced installation script or at least inform users about this problem - correction of this bug require project updates, as some functionalities would not be working if the mentioned correction is made. This second point is clearly a task that has to be made by myreview developers. Besides, the link between the patch and the bug exploitation is straightforward and I don't want to at the origin of attacks exploits ... So I do not know what to do : - patch disclosure may engender the generation of exploits - patch non-disclosure do not solve the bug announced for the first time 8 months ago ... What do you think about that? Best Regards, Julien Thomas On Mon, Mar 9, 2009 at 8:50 AM, <alexchf.fyp@...il.com> wrote: > Is there any patch for the v1.9.9 to avoid this security issue? > -- -- Julien Thomas Plus d'informations (projets, site personnel, ..) http://www.julienthomas.eu/
Powered by blists - more mailing lists