Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Mar 2014 14:32:21 -0700
From: Chris Palmer <snackypants@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: When is broken crypto a vulnerability?

On Mon, Mar 10, 2014 at 1:19 PM, Alex Gaynor <alex.gaynor@...il.com> wrote:

> When thinking about this issue, I like to refer to:
> https://glyph.twistedmatrix.com/2005/11/ethics-for-programmers-primum-non.htmlany
> time the behavior of the program violates the users intent in a way
> which compromises their security, that's a security issue. To that end, any
> of a-d, IMO, ought to quality for a CVE, the only acceptable way to expose
> functionality like this is LegacyObviouslyBrokenZipEncryption.

Strong agree.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ