Date: Wed, 09 Jul 2014 07:15:17 +0000 From: "Poul-Henning Kamp" <phk@....freebsd.dk> To: Michael Samuel <mik@...net.net> cc: oss-security@...ts.openwall.com Subject: Re: Re: Varnish - no CVE == bug regression In message <CACYkhxgmsOG7H3FKhjvDQTfg_WptW1bv19q2CrcPLFTsdL+GiQ@...l.gmail.com>, Michael Samuel w rites: >A CVE assignment will trigger out-of-band patches for distros that might >not do so otherwise. Surely you agree that this is desirable? No, I do not. If DNS is spoofed, then DNS is spoofed and anything which uses DNS is vulnerable, but it is not a security vulnerability in every single piece of software that might conceiveably use DNS lookups, it is a vulnerability in DNS which we have known about since DNS came about. If the so-called "security industry" wants to be taken seriously, it has to stop this kind of nonsense. It seems that the primary thing a CVE assignment will cause is for somebody to make another notch in his bedpost. I also have no idea what "out-of-band patches", nor for that matter which "distros" you are talking about here. Do you ? If so I'd like to hear about them, because as I said as the very first thing: We fix bugs in Varnish, and I'd like to receive a copy of those patches. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@...eBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ