Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 06 Oct 2014 21:04:01 -0700
From: Ed Prevost <>
Subject: Re: Who named shellshock?

On 10/6/2014 8:55 PM, Solar Designer wrote:
> On Mon, Oct 06, 2014 at 08:33:44PM -0700, Michal Zalewski wrote:
>> This is the bit from Stephane:
>> -- snip! --
>> A release schedule with public disclosure on the 24th at
>> 14:00 UTC and early notification to other unix and linux
>> vendors on the 22nd and select infrastructure provider
>> notification (such as CDNs including Microsoft) on the 23rd
>> proposed on the 16th by Florian.
>> [...]
>> was registered (not by me) with a creation date of
>> 2014-09-24 13:59 UTC sometime before 2014-09-24 06:59:10Z
>> according to whois. Florian also said here that someone brought
>> the early notification sent to vendors/infrastructure to the
>> press, so someone obviously intended to take it to the press. I
>> don't know whom.
>> -- snip! --
> Thanks!
>> The thing sounds a bit damning (doesn't sound like
>> something that would be in the notifications to CDNs & co?).
> This certainly sounds bad, but what matters most is whether any info on
> the bug got to an unintended party before 2014-09-24 14:00 UTC or not.
> The name itself does not leak any vulnerability details,
> nor that there was in fact a bash vulnerability coming.  This does
> suggest that someone wasn't 100% busy using the then non-public info for
> its intended purpose, but it does not indicate they violated the trust
> of whoever disclosed the info to them (except possibly by cybersquatting
> the domain), nor put bash users at any additional risk.
> Alexander
I'd say it still has a sleazy feel to it. lol

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ