lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 29 Aug 2011 19:34:09 +0300
From: Georgi Guninski <guninski@...inski.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk, Mark J Cox <mjc@...che.org>
Subject: Re: Apache Killer

On Thu, Aug 25, 2011 at 03:52:00PM -0400, Valdis.Kletnieks@...edu wrote:
> On Thu, 25 Aug 2011 21:35:04 +0300, Georgi Guninski said:
> > On Wed, Aug 24, 2011 at 10:45:53AM +0100, Mark J Cox wrote:
> > > Use CVE-2011-3192.
> >
> > why the fuck use this shit?
> 
> So that when two different people issue advisories about it, if they both say
> CVE-2011-3192, we know it's the same issue.  Otherwise if you got some people
> writing about Kingcope's hole with gzip and others writing about Zalewski's
> hole with Range: it's hard to tell if they're really the same issue or not.
> 

I am missing something while not feeling like explaining to dummies why cve sux.

Clearly the current thread drama was started by the publication of Kingcope's POC.

Zalewski might have something to do with this issue, I don't know.

The IETF RFC is so DOS friendly they have a ticket on it.

As of now (29.08.2011) apache d3v3lop3rs released an advisory not mentioning neither Kingcope nor Zalewski and citing the cve sh1t which is VIRTUALLY EMPTY as of now - check for yourself (citing empty stuff appears strange to me).

>>From the virtually empty cve sh1t I can't tell nothing about the drama.

What did you try to explain or will I have to wait for bright times when usa is debt free?

-- 
joro

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ