lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BF9651D8732ED311A61D00105A9CA31511AD0B06@berkeley.gci.com>
From: lsawyer at gci.com (Leif Sawyer)
Subject: Silent Fixes (was GAYER THAN AIDS ADVISORY #01: IE 5 remote code
 execution)

gabriel rosenkoetter writes:
> Oh, give me a break. Some developer went, "Oh, hey, I'm not
> bounds checking there. Okay, fix that," and the changes
> filtered out into the release of IE. 
> [... blah blah ...] Hell, do we expect Linux or NetBSD
> [ to tell us about every buffer overflow they fix? ]

Uh.  Methinks you don't read the linux kernel mailing list,
do you?  

Yes, every freaking buffer overflow they fix is discussed.
In fact, nearly every change made to the kernel is discussed
at some point.  And it's all documented as to whom the person
was what inserted the code in the first place, and who fixed it.

Responsible?  Check.
Open?  Check.
The way it _should_ be?  Check.

Caveat: I don't subscribe to any BSD lists, but I can infer that
 they have a similar process in place.

Silent fixes suck.  The only thing they do is prevent the user
from making an informed decision about how to deal with them.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ