Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 09 Jul 2014 07:15:17 +0000
From: "Poul-Henning Kamp" <phk@....freebsd.dk>
To: Michael Samuel <mik@...net.net>
cc: oss-security@...ts.openwall.com
Subject: Re: Re: Varnish - no CVE == bug regression

In message <CACYkhxgmsOG7H3FKhjvDQTfg_WptW1bv19q2CrcPLFTsdL+GiQ@...l.gmail.com>, Michael Samuel w
rites:

>A CVE assignment will trigger out-of-band patches for distros that might
>not do so otherwise.  Surely you agree that this is desirable?

No, I do not.

If DNS is spoofed, then DNS is spoofed and anything which uses DNS
is vulnerable, but it is not a security vulnerability in every
single piece of software that might conceiveably use DNS lookups,
it is a vulnerability in DNS which we have known about since DNS
came about.

If the so-called "security industry" wants to be taken seriously,
it has to stop this kind of nonsense.

It seems that the primary thing a CVE assignment will cause is for
somebody to make another notch in his bedpost.

I also have no idea what "out-of-band patches", nor for that matter
which "distros" you are talking about here.

Do you ?

If so I'd like to hear about them, because as I said as the very first thing:
We fix bugs in Varnish, and I'd like to receive a copy of those patches.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@...eBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ