cvs and rsync

[Dave Aitel <dave () immunitysec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So I'm sitting around uploading the new CANVAS. It takes a while. I
added the new CVS exploit, and as a bonus treat, the slightly older
rsync exploit to the mix. These two are interesting because they do
point out the weakspot with Open Source - a distributed software
engineering infrastructure leads to real world security problems. If
subversion, rsync and cvs exploits aren't a wake-up call, then I don't
know what is.

It's a hard problem. Why doesn't cvs have an option to gpg sign code
patches?

And again, if you are a hacker, are you responsible for the Open
Source community's security? Is it better for freedom to have a secure
Open Source infrastructure, or an insecure closed source infrastructure?


- -dave
P.S. Nicolas Waisman did a fantastic job on the CANVAS rsync and cvs
exploits. They were...educational for us non-heap-overflow genius
mortal people.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAq33NzOrqAtg8JS8RAtuHAJ9JUp6B6TdoKJXW1NBbOhzaqV7WogCeNuUp
PV9IGNxTwDx4XkTdHk0CQ+A=
=k/TR
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave