Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Jan 2015 17:45:17 -0800
From: Qualys Security Advisory <qsa@...lys.com>
To: oss-security@...ts.openwall.com
Subject: Re: GHOST gethostbyname() heap overflow in glibc
 (CVE-2015-0235)

On Tue, Jan 27, 2015 at 08:45:12PM +0300, Solar Designer wrote:
> He found out that apparently the ghost image appeared on the Qualys
> website on October 2.

What?!  No idea where this image came from, who created it, or why, or
when.  What is absolutely certain is that October 2 has nothing to do
with this bug, simply because the first time someone here had the idea
of calling it "GHOST" was on Friday evening!  Yes, Friday, January 23,
2015!

> The GHOST name was not yet in the (almost final) advisory draft sent to
> the linux-distros list on January 18, nor was there any other name for
> this vulnerability in there.

Exactly, thank you!  And if some of you conspiracy theorists need more
proof, even SuSE's Bugzilla entry is still referencing the original name
of our proof-of-concept (charged-ghbn.c), which appeared in the advisory
draft we sent to the linux-distros mailing-list last week:

https://bugzilla.suse.com/show_bug.cgi?id=913646

In the end, some information was leaked before the Coordinated Release
Date (which was January 27, 2015 at 18:00 UTC), but it was just a few
hours early.  And again, we sincerely apologize.

Please please please, less pointless bickering, more code auditing.
Thank you.

-- 
the "technical folks"

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ