bug-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On conscription, copyright assignment, and CVEs


From: Riccardo Mottola
Subject: Re: On conscription, copyright assignment, and CVEs
Date: Mon, 11 Oct 2021 21:25:49 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53.9.1

Hi Sergey,

I sometimes wonder this bureaucracy!


Sergey Bugaev wrote:
> but in any case, it's been two months since the fixes have been
> published. Everybody should have had plenty of time to upgrade. It's
> also been possible for any attackers to infer what the vulnerabilities
> were from the patches, which are publicly accessible (if not in the
> main Hurd tree). I think it would make sense now for me to just
> publish the details of what the vulnerabilities were. It should be an
> interesting read for everyone, and it would hopefully help with the
> CVE process somewhat (assuming someone would be interested in it,
> perhaps they even would be able to complete the process in my
> absence?). And also I expect to forget the details in a year's time (I
> must have already forgotten some!), so I better do it now rather than
> afterwards.
>
> So, if anybody knows of a reason I shall not do this, speak now or
> forever hold your peace! :)

At this point, I would publish them. As you write, from your mitigations
several could be inferred.
Also, to be honest, I don't htink anybody is using HURD in something
mission critical, but who knows! In that case, your patches are already
a guide and the CVE will of use.

Riccardo



reply via email to

[Prev in Thread] Current Thread [Next in Thread]