Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <55B23798.7090709@internot.info>
Date: Fri, 24 Jul 2015 23:03:20 +1000
From: Joshua Rogers <oss@...ernot.info>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper
 - CVE-2015-3246 libuser

On 24/07/15 22:15, Martino Dell'Ambrogio wrote:
> Moreover, as soon as systems can be patched, they should be.
> Of course a few hours delay is not realistic, but I want to be sure that
> everyone understands how much "releasing a working exploit *does not
> help anybody*" is false.
>
> I urge researchers to continue to release their exploits into the public
> domain.
> Do it "responsibly", maybe get help in order to do it correctly, but do
> it, because it's beneficial more than harmful to any potential target.
I concur.
The releasing of PoC's are very important, for many reasons. It allows,
as stated, the ability to pentest a system efficiently.

I think in this case, it is inappropriate for a PoC to be released on
the same day as the updates being pushed.
As everybody knows, there are a lot of hacked boxes on the internet. Now
someguy that has a botnet of local-users will be able to mass root all
the boxes while the owners sleep, because they have been given no
warning at all about this.. Even if 48 hours was waited before the PoC
was released, it would be much better.

That's just my 2cents anyways.


Thanks,
-- 
-- Joshua Rogers <https://internot.info/>


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.