Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability.
-
RE: https://chaos.social/@icing/116526903529846107
Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability. Which they already were protected from, but did not know. Because the CVE was not public at the time the fix was shipped.
[...]
Two security researchers found the vulnerability independently. Just scanning the 2.4.66 source code. This means the bad guys can no longer be kept in the dark. Coordinated disclosure no longer works.
-
RE: https://chaos.social/@icing/116526903529846107
Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability. Which they already were protected from, but did not know. Because the CVE was not public at the time the fix was shipped.
[...]
Two security researchers found the vulnerability independently. Just scanning the 2.4.66 source code. This means the bad guys can no longer be kept in the dark. Coordinated disclosure no longer works.
Eh... This isn't a particularly new issue. Doesn't even require source code, either. Bindiff is a couple decades old at this point.
Just because coordinated disclosure is hard and messy and flawed doesn't mean we should give up on the idea of protecting downstream users like the jerks behind the copy.fail disclosure did.
-
Eh... This isn't a particularly new issue. Doesn't even require source code, either. Bindiff is a couple decades old at this point.
Just because coordinated disclosure is hard and messy and flawed doesn't mean we should give up on the idea of protecting downstream users like the jerks behind the copy.fail disclosure did.
@DaveMWilburn Not disagreeing - I think Eissing is using "responsible" here on purpose, rather than "coordinated"
-
R relay@relay.infosec.exchange shared this topic
