Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Oct 2014 03:48:19 +0300
From: Alexander Cherepanov <cherepan@...me.ru>
To: oss-security@...ts.openwall.com
Subject: Re: list policy (Re: Truly scary SSL 3.0 vuln to be
 revealed soon:)

On 2014-10-29 02:47, Kurt Seifried wrote:
> On 28/10/14 07:47 AM, Alexander Cherepanov wrote:
>> On 2014-10-15 12:30, Solar Designer wrote:
>>> - Please don't send fully working exploits (but testcases that exercise
>>> the flaw are welcome)
>>>
>>> FWIW, I've always been tempted to remove the latter guideline,
>>
>> Then perhaps just remove it? It always seemed to me a strange
>> restriction. Other guidelines are either technical in nature or they are
>> intended to reduce the amount of noise. This restriction seems to be
>> neither.
>>
>> Of you can replace it with something like this:
>> - Please only send fully working exploits which themselves are open-source.
>>
> Will someone/people vet the exploits to make sure they are not trojan
> horses/self harming (e.g. the rm -rf * embedded in it somewhere?).
> Strikes me as a heck of a watering hole attack potentially (and yes,
> list members should know better, but ... yeah).

This is an interesting question but how "fully working exploits" differ 
from "testcases that exercise the flaw" in this regard?

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ