Date: Wed, 1 Oct 2014 07:15:56 -0400 From: Jason Cooper <osssecurity@...edaemon.net> To: oss-security@...ts.openwall.com Subject: Re: Healing the bash fork On Wed, Oct 01, 2014 at 01:08:09PM +0200, Hanno Böck wrote: > Am Tue, 30 Sep 2014 19:19:55 -0400 (EDT) > schrieb "David A. Wheeler" <dwheeler@...eeler.com>: > > > Finally: *PLEASE* let me know if you have any good ideas on how to > > find vulnerabilities like this ahead-of-time. My article "How to > > Prevent the Next > > Hearbleed" (http://www.dwheeler.com/essays/heartbleed.html) lists a > > number of ways that Heartbleed-like vulnerabilities could have been > > detected ahead-of-time, in ways that are general enough to be > > useful. I'd like to do the same with Shellshock, so we can quickly > > eliminate a whole class of problems. > > The "class of problems" here is imho that we have a bunch of tools that > get rare attention from anyone, are run by few volunteers, but they're > an essential part in running the Internet. > > Just think about busybox, curl, wget, coreutils, gettext, gzip, ... - a > vuln in any of these could have severe consequences. > > Maybe the topic here should be: "How can we get the (whitehat) IT > seucrity community to have a deeper look at neglected but important > opensource projects." The LF has the Core Infrastructure Initiative: http://www.linuxfoundation.org/programs/core-infrastructure-initiative/faq thx, Jason.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ