lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0305121023001.21166-100000@dell1.moose.awe.com>
From: mjc at redhat.com (Mark J Cox)
Subject: Hotmail & Passport (.NET Accounts)

> I sure hope that 
> folk won't be sucked into bogus "MS released fewer IE patches last 
> year" claims based solely on the year-on-year comparison of the 
> number of patch releases (as indicated by security bulletin count).

Most vendors and even open source software projects roll up security
fixes, usually when issues are classed as minor or if several severe
issues can be announced and fixed at the same time.  To know how many
issues get rolled up you need to be able to count issues or
vulnerabilities and that can be quite subjective.  However we can
normalise on CVE data to get useful statistics:

Looking at point releases of Apache 1.3 and Apache 2.0 that contained
security fixes.  Each release fixed on average 1.63 vulnerabilities (44%
of releases fixed more than one issue, max 3 issues in one release).

Looking at Red Hat advisories since Jan 2000-Apr 2002, each advisory for
Red Hat Linux fixed on average 1.54 vulnerabilities (18% of advisories
fixed more than one issue, max 11 issues in one advisory).

Cheers, Mark
-- 
Mark J Cox




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ