Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 1 Oct 2014 13:08:09 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: Healing the bash fork

Am Tue, 30 Sep 2014 19:19:55 -0400 (EDT)
schrieb "David A. Wheeler" <dwheeler@...eeler.com>:

> Finally: *PLEASE* let me know if you have any good ideas on how to
> find vulnerabilities like this ahead-of-time. My article "How to
> Prevent the Next
> Hearbleed" (http://www.dwheeler.com/essays/heartbleed.html) lists a
> number of ways that Heartbleed-like vulnerabilities could have been
> detected ahead-of-time, in ways that are general enough to be
> useful.  I'd like to do the same with Shellshock, so we can quickly
> eliminate a whole class of problems.

The "class of problems" here is imho that we have a bunch of tools that
get rare attention from anyone, are run by few volunteers, but they're
an essential part in running the Internet.

Just think about busybox, curl, wget, coreutils, gettext, gzip, ... - a
vuln in any of these could have severe consequences.

Maybe the topic here should be: "How can we get the (whitehat) IT
seucrity community to have a deeper look at neglected but important
opensource projects."

-- 
Hanno Bck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ