Dailydave mailing list archives
Re: DSU
From: pageexec () freemail hu
Date: Wed, 12 Jul 2006 11:23:49 +0200
On 12 Jul 2006 at 11:00, Florian Weimer wrote:
nice try but then how do you explain the following: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2448in particular note the date of the CVE entry vs. that of the commit and the obvious discrepancy between the two descriptions.There is no discrepancy. The commit message does not address the security aspect at all.
if that's not a discrepancy then what is it? sweeping the real problem under the carpet? the git commit does not at all mention the ability to read arbitrary kernel memory whereas at least the Red Hat bugzilla mentions it 3 days before, so it's not like the impact wasn't understood at the time of the commit.
something known to be as a security bug in May (hence the request for the CVE entry) was committed with a rather non-descript message next month.The CVE name likely likely comes from a CNA pool. In this case, the assignment date has *nothing* to do with the discovery date.
when was it discovered? at least a few days before, according to the Red Hat bugzilla. my point was, once again, that at the time the commit was made, its full impact was well known, yet it was not mentioned *at all* (regardless of when the CVE entry was created, though i bet it happened before the git commit).
i for one would really like to see what went on on vendor-sec or the kernel security list regarding this bug.Hey, a local DoS on a fringe architecture is not worth a conspiracy.
reading arbitrary kernel memory is not DoS (i'll leave the fringe comment for IBM'ers to answer ;-). we'll see the conspiracy part if/when we get to see the actual discussion. were you party to it by any chance? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DSU Dave Aitel (Jul 11)
- Re: DSU TINNES Julien RD-MAPS-ISS (Jul 12)