lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1253575518.20090410135128@Zoller.lu>
Date: Fri, 10 Apr 2009 13:51:28 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: Marcus Meissner <meissner@...e.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Linux Kernel CIFS Vulnerability

Hi Marcus,

MM> I think we have brought this up to the kernel guys often already
MM> without much effect ...  and I am aware of above posts.
I am a bystander that is bewildered by the situation and have not been
following this "situation" from the beginning.

MM> This is Opensource, if the original authors don't provide security
MM> guidance,
You mean "this is anarchy" or sparte ? SCNR
There   is   no   need  for  "security  guidance", there is a need for a
simple FLAG [x] Might be security relevant or [X] is security relevant.
Others  might  then  look  into  it  a  lot faster instead of triaging
through hundrets of irrelevant bugs.

MM>  someone else can easily step up and do it, like Brad, or Fefe,
MM> or whoever else.
 Brad and Fefe have certainly other things to do than point out
security intrinsics of bugs in OSS software. Setting the flags above
might help getting others to look into faster.

How  about  solving  the  problem  by  open  sourcing  the knowledge
required to attribute the security nature of a coding error as to help
those that simply ignore it ? That could be a start too.

It's often plain easy and can be explained in IF ELSE kind of way.

MM> Even we as Linux distributors should probably set some people up to study the
MM> .stable releases for such things.
It would certainly help, what helps a lot more from my POV is creating
a  website,  a  sort  of  hallofshame,  that discloses silent security
fixes.  It  helps everbody, puts pressure on the "they are just normal
bugs"  fraction,  helps  those  that  ignore  WHY a particular bug has
security implications and helps the overall perception of OSS software
in terms of security.


-- 
http://blog.zoller.lu
Thierry Zoller

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ