Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 24 Jul 2015 23:03:20 +1000
From: Joshua Rogers <oss@...ernot.info>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper
 - CVE-2015-3246 libuser

On 24/07/15 22:15, Martino Dell'Ambrogio wrote:
> Moreover, as soon as systems can be patched, they should be.
> Of course a few hours delay is not realistic, but I want to be sure that
> everyone understands how much "releasing a working exploit *does not
> help anybody*" is false.
>
> I urge researchers to continue to release their exploits into the public
> domain.
> Do it "responsibly", maybe get help in order to do it correctly, but do
> it, because it's beneficial more than harmful to any potential target.
I concur.
The releasing of PoC's are very important, for many reasons. It allows,
as stated, the ability to pentest a system efficiently.

I think in this case, it is inappropriate for a PoC to be released on
the same day as the updates being pushed.
As everybody knows, there are a lot of hacked boxes on the internet. Now
someguy that has a botnet of local-users will be able to mass root all
the boxes while the owners sleep, because they have been given no
warning at all about this.. Even if 48 hours was waited before the PoC
was released, it would be much better.

That's just my 2cents anyways.


Thanks,
-- 
-- Joshua Rogers <https://internot.info/>


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.