Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YezR31IUUe48w7KH@sol.nexus.lan>
Date: Sat, 22 Jan 2022 22:02:46 -0600
From: John Helmert III <ajak@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: WebKitGTK and WPE WebKit Security Advisory
 WSA-2022-0001

In this case the advisory was published the same day as the release,
but in general I notice that WebKit security advisories are published
sometimes weeks after the releases, often with vague changelog notes
like "Fix several crashes and rendering issues.". For example,
WSA-2021-0006 was released on October 26th, 2021 noting fixes for
2.32.4, 2.34.0, and 2.34.1, which were released on September 17,
September 22, and October 21 respectively.

With this big of a gap between releases and security advisories, it
seems that users and distributors will be unaware of the necessity of
updating due to security fixes, sometimes for weeks after the
release. Why not always publish advisories close to new releases?
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.