[CM] the hidden cost of embargoed security patch releases

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

From the «not sure the old way was working either» department:
Title: The hidden costs of embargoes (Red Hat Security Blog)
Date: Fri, 12 Jun 2015 00:12:11 -0400
Link: http://lwn.net/Articles/647979/rss

Over at the Red Hat Security Blog, Kurt Seifried looks[1] at the costs of
security embargoes. Keeping the information about security vulnerabilities
quiet until distributions can coordinate their releases of a fix for it seems
like it makes a lot of sense, but there are hidden costs to that. "Patch
creation with an embargoed issue means only the researcher and upstream
participating. The end result of this is often patches that are incomplete and
do not fully address the issue. This happened with the Bash Shellshock issue
(CVE-2014-6271) where the initial patch, and even subsequent patches, were
incomplete resulting in several more CVEs (CVE-2014-6277, CVE-2014-6278,
CVE-2014-7169). For a somewhat complete listing of such examples simply search
the CVE database for 'because of an incomplete fix for'[2]."

[1]: https://securityblog.redhat.com/2015/06/10/the-hidden-costs-of-embargoes/ (link)
[2]: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=because+of+an+incomplete+fix+for (link)

Posting to comp.misc, sci.misc, and misc.news.internet.discuss

Site Timeline