Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Jul 2015 23:03:20 +1000
From: Joshua Rogers <oss@...ernot.info>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper
 - CVE-2015-3246 libuser

On 24/07/15 22:15, Martino Dell'Ambrogio wrote:
> Moreover, as soon as systems can be patched, they should be.
> Of course a few hours delay is not realistic, but I want to be sure that
> everyone understands how much "releasing a working exploit *does not
> help anybody*" is false.
>
> I urge researchers to continue to release their exploits into the public
> domain.
> Do it "responsibly", maybe get help in order to do it correctly, but do
> it, because it's beneficial more than harmful to any potential target.
I concur.
The releasing of PoC's are very important, for many reasons. It allows,
as stated, the ability to pentest a system efficiently.

I think in this case, it is inappropriate for a PoC to be released on
the same day as the updates being pushed.
As everybody knows, there are a lot of hacked boxes on the internet. Now
someguy that has a botnet of local-users will be able to mass root all
the boxes while the owners sleep, because they have been given no
warning at all about this.. Even if 48 hours was waited before the PoC
was released, it would be much better.

That's just my 2cents anyways.


Thanks,
-- 
-- Joshua Rogers <https://internot.info/>


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ