lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <E041FEC1-3EEE-4109-B217-EB223C77CDB4@oav.net>
Date: Sat Jul 16 10:18:03 2005
From: kiwi at oav.net (Xavier Beaudouin)
Subject: Secunia published adviso
	withoutrespectingrelease date !


Le 16 juil. 05 ? 03:59, Jerome Athias a ?crit :

> 2 things i remind myself...
>
> 1) http://seclists.org/lists/vulndiscuss/2004/Dec/0006.html

Yes. I received this one. But I still don't agree that Secunia didn't  
take the time to inform The Caudium Group *before* sending this  
"advisory" to security lists.

This is _not_ fair and positivement a bad way to be *respected* on  
security advisory.

This also the reason why we decided (we = caudium group) to close bug  
tracker at sourceforge to avoid false information to be sent.

Usualy the idea is :

bug/security problems found -> draft of advisory is sent to  
developpers to get more accurate information -> time to make a fix ->  
advisory is sent

Secunia has just taken a bug from our tracker *without* telling the  
Caudium Group that are taking this for makeing a advisory, and just  
sent it to security lists with _false_ information.

I still consider that this is half done work and they are not nice  
people when they make advisory.

So because of that half done work, all Caudium Group developpers now  
don't trust anymore Secunia. I am sorry for them, but this is the way  
they make the advisory without contacting authors that give us this  
situation.

> 2) This is an answer of Thomas before a disclosure of some vuln  
> that Secunia found "at the same time" :
>
> 10/09/2004 19:40
>
> Re: OpenOffice World-Readable Temporary Files Disclose Files to  
> Local Users
>
> Hi J?r?me,
>
> This issue was originally discovered by Secunia on 16th August and
> reported to the vendors.
>
> Please do not forward to anyone else. The various vendors well release
> updates on Wednesday in a co-ordinated disclosure.
>
> Kind regards,

They didn't get so smarter with us. We still don't accept this fact.
If they where so smart we still trust them. They were not so they are
their own victim of their half work for Caudium group advisory.

/Xavier

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ