User: Password:
Subscribe / Log in / New account

How long should security embargoes be?

How long should security embargoes be?

Posted Feb 10, 2012 23:39 UTC (Fri) by PaXTeam (guest, #24616)
In reply to: How long should security embargoes be? by arjan
Parent article: How long should security embargoes be?

users aren't vulnerable during the embargo only, they're vulnerable as long as they use the buggy code. the latter is usually much much longer than the former so a few days more or less for an embargo doesn't really change anything. actually i'm surprised you'd go public with such a statement considering your participation in one of the worst handled linux security bugs of all times. to refresh your memories, this is what was posted to vendor-sec on 2003.09.25:

<arjan> there's a security hole found by akpm
<arjan> that also hits your kernels
<arjan> Subject: [PATCH] do_brk() bounds checking
<arjan> that patch you want
<arjan> agreement is to put it in silently (eg no changelog)
<davej> ok
<arjan> it's not exactly public stuff either
<arjan> linus committed it with a non-security comment
<arjan> so should we
<davej> ok

and the result of this was the now infamous debian core infrastructure compromise a few weeks later. what did you want to prove again?

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds