Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 1 Oct 2014 12:08:15 -0400
From: Jason Cooper <osssecurity@...edaemon.net>
To: oss-security@...ts.openwall.com
Subject: Re: Healing the bash fork

On Wed, Oct 01, 2014 at 08:55:35AM -0700, Greg KH wrote:
> On Wed, Oct 01, 2014 at 07:15:56AM -0400, Jason Cooper wrote:
> > On Wed, Oct 01, 2014 at 01:08:09PM +0200, Hanno Böck wrote:
> > > Am Tue, 30 Sep 2014 19:19:55 -0400 (EDT)
> > > schrieb "David A. Wheeler" <dwheeler@...eeler.com>:
> > > 
> > > > Finally: *PLEASE* let me know if you have any good ideas on how to
> > > > find vulnerabilities like this ahead-of-time. My article "How to
> > > > Prevent the Next
> > > > Hearbleed" (http://www.dwheeler.com/essays/heartbleed.html) lists a
> > > > number of ways that Heartbleed-like vulnerabilities could have been
> > > > detected ahead-of-time, in ways that are general enough to be
> > > > useful.  I'd like to do the same with Shellshock, so we can quickly
> > > > eliminate a whole class of problems.
> > > 
> > > The "class of problems" here is imho that we have a bunch of tools that
> > > get rare attention from anyone, are run by few volunteers, but they're
> > > an essential part in running the Internet.
> > > 
> > > Just think about busybox, curl, wget, coreutils, gettext, gzip, ... - a
> > > vuln in any of these could have severe consequences.
> > > 
> > > Maybe the topic here should be: "How can we get the (whitehat) IT
> > > seucrity community to have a deeper look at neglected but important
> > > opensource projects."
> > 
> > The LF has the Core Infrastructure Initiative:
> > 
> >   http://www.linuxfoundation.org/programs/core-infrastructure-initiative/faq
> 
> Yes, that's exactly what that group is doing, and they have a huge list
> of these types of projects that they are looking into funding to help
> prevent this type of thing from happening again.  I'll go add bash to
> the list there as I don't think it is currently on it at the moment.

Could we also update the FAQ to include "How to recommend a project?"?
A few days ago I tried to recommend bash.  I dug around, and finally
just sent an email to Ted.  Which I don't think is the correct answer
;-)

thx,

Jason.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.