lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20060715151919.GA3181@sentinelchicken.org>
Date: Sat Jul 15 16:19:35 2006
From: tim-security at sentinelchicken.org (Tim)
Subject: Linux Privilege Escalation exploits

> destruction and so on. People need to decide for themselved how
> critical it is. My 2krone.

Exactly.  Generic severity ratings are pointless.  Even if they were
standardized, they would be of very little value since risk is highly
dependent on an organizations deployment of the vulnerable software
described.  Those releasing the ratings know nothing about how it is
deployed, what is at risk by the deployment, and how far an attacker
would have to go to obtain access to the vulnerable software.  

Often these ratings act against the recommendations of security
administrators, because if management sees a "Low" or "Medium" severity,
they don't regard it as something to act on quickly when it should be,
or they'll burn resources on something rated "High" even though it may
not impact the specific deployment in a severe way.

It is better to provide concise, complete, and accurate information
about vectors of attack and the potential results of those attacks to
allow people to make their own decisions.

tim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ