Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 1 Oct 2014 07:15:56 -0400
From: Jason Cooper <osssecurity@...edaemon.net>
To: oss-security@...ts.openwall.com
Subject: Re: Healing the bash fork

On Wed, Oct 01, 2014 at 01:08:09PM +0200, Hanno Böck wrote:
> Am Tue, 30 Sep 2014 19:19:55 -0400 (EDT)
> schrieb "David A. Wheeler" <dwheeler@...eeler.com>:
> 
> > Finally: *PLEASE* let me know if you have any good ideas on how to
> > find vulnerabilities like this ahead-of-time. My article "How to
> > Prevent the Next
> > Hearbleed" (http://www.dwheeler.com/essays/heartbleed.html) lists a
> > number of ways that Heartbleed-like vulnerabilities could have been
> > detected ahead-of-time, in ways that are general enough to be
> > useful.  I'd like to do the same with Shellshock, so we can quickly
> > eliminate a whole class of problems.
> 
> The "class of problems" here is imho that we have a bunch of tools that
> get rare attention from anyone, are run by few volunteers, but they're
> an essential part in running the Internet.
> 
> Just think about busybox, curl, wget, coreutils, gettext, gzip, ... - a
> vuln in any of these could have severe consequences.
> 
> Maybe the topic here should be: "How can we get the (whitehat) IT
> seucrity community to have a deeper look at neglected but important
> opensource projects."

The LF has the Core Infrastructure Initiative:

  http://www.linuxfoundation.org/programs/core-infrastructure-initiative/faq

thx,

Jason.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ