Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150129130913.1cb0a9e9@pc>
Date: Thu, 29 Jan 2015 13:09:13 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: GHOST gethostbyname() heap overflow in glibc
 (CVE-2015-0235)

On Thu, 29 Jan 2015 02:05:38 -0700
Kurt Seifried <kseifried@...hat.com> wrote:

> So you'll be doing the work to confirm which ones are/are not, patch
> them, regression test the patches and so on? Awesome!
> 
> There's a reason we don't treat every potential security flaw as a
> security vulnerability. We have finite resources and pretty much an
> infinite number of flaws to deal with. Until you solve that problem we
> have to make due with "best effort", letting perfection be the enemy
> of good will kill us.

I find that sarcastic comment inappropriate. After all it's your
company that's selling a product that makes the promise to backport
important security fixes for years.

I think we have a real problem here and I'd like to have a talk how to
solve it. Debian, Redhat, Ubuntu and many others are making an implicit
promise with their long time supported stable distributions that they'll
take care of important bugs. I have big doubts how capable they are in
delivering that promise. There are just too many bugs to take care of.

I'll write up something longer on that topic later today.

And yes: I'd like people to cry alarm every time they see a buffer
overflow in glibc or any other core lib. Even if we aren't capable of
deeply checking every one of them: Having the information available
somewhere else than depply hidden in a google bugtracker would be an
improvement. If it is too much for this list create another place for
it.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.