Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 11 Nov 2017 16:02:09 +1300
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-15102: Linux kernel: usb: NULL-deref due
 to a race condition in [legousbtower] driver

On 10/11/17 06:09, David A. Wheeler wrote:
> I agree that many vulnerabilities don't have CVE ids.
> You don't need to identify *all* vulnerabilities in old kernels... just enough to make
> it easier to update the kernel than try to back-patch everything.
> If manufacturers have to fix the CVEs to sell products, or to avoid massive returns,
> that creates an *economic* reason for manufacturers to
> begin responsibly maintain their products.

The argument is knee-capped by CVE being slowly and incrementally assigned.

The cost of incremental change is nowhere near as visible to vendors. 
They just patch issues one by one equally as slowly then blame the end 
users for not upgrading/patching firmware. When the firmware upgrade 
process itself is shrouded by lots of scary warnings and technical 
actions that prevent home users doing it.


The stick doesn't work too well with vendors and distributors. Too much 
greed these days. And that means the carrot works better - we just have 
to figure out what the best carrot looks like.

AYJ

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.