lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 21 Jul 2008 21:48:13 -0300
From:	"Rodrigo Rubira Branco (BSDaemon)" <rbranco@...checkpoint.com>
To:	Alan Cox <alan@...hat.com>
CC:	Greg KH <gregkh@...e.de>, linux-kernel@...r.kernel.org,
	stable@...nel.org, greg@...ah.com,
	"'Justin Forbes'" <jmforbes@...uxtx.org>,
	"'Zwane Mwaikambo'" <zwane@....linux.org.uk>,
	"'Theodore Ts'o'" <tytso@....edu>,
	"'Randy Dunlap'" <rdunlap@...otime.net>,
	"'Dave Jones'" <davej@...hat.com>,
	"'Chuck Wolber'" <chuckw@...ntumlinux.com>,
	"'Chris Wedgwood'" <reviews@...cw.f00f.org>,
	"'Michael Krufky'" <mkrufky@...uxtv.org>,
	"'Chuck Ebbert'" <cebbert@...hat.com>,
	"'Domenico Andreoli'" <cavokz@...il.com>,
	"'Willy Tarreau'" <w@....eu>, torvalds@...ux-foundation.org,
	akpm@...ux-foundation.org, alan@...rguk.ukuu.org.uk,
	caglar@...dus.org.tr, casey@...aufler-ca.com,
	spender@...ecurity.net, pageexec@...email.hu,
	rodrigo@...nelhacking.com
Subject: Re: [stable] Linux 2.6.25.10 (resume)

Alan Cox escreveu:
>> @@ -1,7 +1,7 @@
>> -Linux kernel developers take security very seriously.  As such, we'd
>> -like to know when a security bug is found so that it can be fixed and
>> -disclosed as quickly as possible.  Please report security bugs to the
>> -Linux kernel security team.
>> +Linux kernel developers take security very seriously, in exactly the 
>> +same way we do with any other bugs.  As such, we'd like to know when 
>> +a security bug is found so that it can be fixed as soon as possible.
>> +Please report security bugs to the Linux kernel security team.
>>     
>
> NAK this. If the fix is not clear and the bug not too serious it is better
> to disclose it than fail to fix it. The security team does not usually fix the
> bugs, the experts in the various bits of code do.
>   
ACK ;)  Changed the sentence.  Tks.

>> -Any exploit code is very helpful and will not be released without
>> -consent from the reporter unless it has already been made public.
>> +Any exploit code is very helpful and will not be released.
>>     
>
> NAK this too. If someone releases an exploit publically or it leaks we
> want to be able to freely share it too. Your proposal would mean any but
> those dumb enough to agree to this could share it. That is why the unless made
> public is part of every generic NDA document on the planet.
>   
Agreed.  Changed the sentence.  Tks.
> The rest needs Linus to return from holiday for discussion and that'll
> be a week or two. In the meantime you might want to define "disclose" as
> I don't think we all agree on what it means as you've not defined who is and
> isn't the linux security team and/or its helpers.
Cool.

View attachment "SecurityBugs.patch" of type "text/plain" (2694 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ