Date: Mon, 10 Mar 2014 14:32:21 -0700 From: Chris Palmer <snackypants@...il.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: When is broken crypto a vulnerability? On Mon, Mar 10, 2014 at 1:19 PM, Alex Gaynor <alex.gaynor@...il.com> wrote: > When thinking about this issue, I like to refer to: > https://glyph.twistedmatrix.com/2005/11/ethics-for-programmers-primum-non.htmlany > time the behavior of the program violates the users intent in a way > which compromises their security, that's a security issue. To that end, any > of a-d, IMO, ought to quality for a CVE, the only acceptable way to expose > functionality like this is LegacyObviouslyBrokenZipEncryption. Strong agree.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ