WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2024 Poal.co

573

Well shit. Looks like a lot of patching inbound next week.

Archive: https://archive.today/J11ah

From the post:

>"Looks like there's a storm brewing, and it's not good news," writes ancient Slashdot reader jd. "Whether or not the bugs are classically security defects or not, this is extremely bad PR for the Linux and Open Source community. It's not clear from the article whether this affects other Open Source projects, such as FreeBSD." From a report:

Well shit. Looks like a lot of patching inbound next week. Archive: https://archive.today/J11ah From the post: >>"Looks like there's a storm brewing, and it's not good news," writes ancient Slashdot reader jd. "Whether or not the bugs are classically security defects or not, this is extremely bad PR for the Linux and Open Source community. It's not clear from the article whether this affects other Open Source projects, such as FreeBSD." From a report:
[–] 3 pts

Part of this story is that this man seems to have found a genuine, severe vulnerability, but he has had to put in solid days (weeks?) of his own time to convince the devs of that.

This comment from X is interesting:

Watching with interest. I've been sitting on a number of RCEs for years (far less reach than this one though) that vendors wont acknowledge but I don't want to go through the legal hassle of just dropping them.

I was thinking, if the devs refused to acknowledge an issue you could light a fire under their asses by telling them you will disclose it in one month. If they truly believe it’s a non issue there is no problem. If they know full well it’s an issue they’ll fix it. Either way, you should be in the clear since they told you it was not a vulnerability.

Now I’m thinking you would have to have some clear receipts to cover your ass. Even if the devs told you it was a non issue, if it could be proven that you knew better you could be sued into oblivion for releasing it.

[–] 2 pts

Yeah, A lot of security researchers do exactly this. They say "I'm going public with this in 1 month".

It is amazing how many dev's/companies just don't care and won't fix it until it could publicly cause them a lost of $$$ or respect in a community.