Do you have a question? Post it now! No Registration Necessary. Now with pictures!
June 14, 2015, 4:57 pm
rate this thread
Title: The hidden costs of embargoes (Red Hat Security Blog)
Date: Fri, 12 Jun 2015 00:12:11 -0400
Over at the Red Hat Security Blog, Kurt Seifried looks at the costs of
security embargoes. Keeping the information about security vulnerabilities
quiet until distributions can coordinate their releases of a fix for it seems
like it makes a lot of sense, but there are hidden costs to that. "Patch
creation with an embargoed issue means only the researcher and upstream
participating. The end result of this is often patches that are incomplete and
do not fully address the issue. This happened with the Bash Shellshock issue
(CVE-2014-6271) where the initial patch, and even subsequent patches, were
incomplete resulting in several more CVEs (CVE-2014-6277, CVE-2014-6278,
CVE-2014-7169). For a somewhat complete listing of such examples simply search
the CVE database for 'because of an incomplete fix for'."
: https://securityblog.redhat.com/2015/06/10/the-hidden-costs-of-embargoes/ (link)
: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=because+of+an+incomplete+fix+for (link)
Posting to comp.misc, sci.misc, and misc.news.internet.discuss
- » BITPERM, a simple encryption scheme (with authentication) based on bits,permutation and dy...
- — Previous thread in » General Computer Security