Full Disclosure mailing list archives
Re: [caudium-devel] [SECUNIA] Regarding Secunia Advisory SA13040
From: Xavier Beaudouin <kiwi () oav net>
Date: Wed, 22 Dec 2004 18:17:39 +0100
Début du message réexpédié :
De: Marek Habersack <grendel () caudium net> Date: 22 décembre 2004 15:12:22 GMT+01:00 À: caudium-devel () caudium netCc: kiwi () caudium net, vuln () secunia com, vulnwatch () vulnwatch org, Full Disclosure <full-disclosure () lists netsys com> Objet: Rép : [caudium-devel] [SECUNIA] Regarding Secunia Advisory SA13040Répondre à: caudium-devel () caudium net On Wed, Dec 22, 2004 at 02:47:30PM +0100, Thomas Kristensen scribbled:Hi Xavier, The information in Secunia Advisory SA13040 is based on your own Changelog at Sourceforge. SA13040: http://secunia.com/SA13040 On 30th November you wrote to Secunia that this only affected the 1.4branch. One hour later Secunia updated the advisory to reflect this andyou received an answer with a confirmation that we had updated the advisory.You should have done that in the first place - before posting any information about bugs. By releasing such erroneous advisories you do a malservice to both the vendors and the community. One effect of your advisory was that nessus started flagging all scanned machines runningCaudium as vulnerable. That, for some people, generated costs in real money - all because of your lack of willingness to provide the community with the accurate and trustworthy information. Personally, I will regard any otheradvisory from Secunia as unreliable.Do you find is as natural not to perform any tests to confirm your advisory?If you spotted any other omissions back then, you could have contacted us again - obviously you didn't.Additionally, any information listed in product changelogs is consideredpublic knowledge. Naturally, we don't contact vendors before issuingadvisories based on information in their own changelogs / release notes.Also, is it customary to release advisories about non-released or development projects that are moving targets? I suppose we will have toforget about the OSS rule "release soon, release often" - since any bug in a development (CVS/SVN/Arch/whatever) version will be considered a serioussecurity threat.I can see a splendid opportunity to fool Secunia. I will start putting falseAlso, we are not going to remove this advisory, as it is based on your own information. However, if you have any relevant additional information, we will naturally review them and update the advisory accordingly.changelog entries in our repositories announcing all kinds of grave andserious errors. I would love if other vendors start doing that as well - I wonder how would you, as professionals, look if it started to turn out that your "advisories" are cut-and-paste's from vendor development changelogs -untested, unconfirmed, unchecked.best regards and I hope you will take the time during the upcoming holidaysKind regards,to think about the way you do your work - since it is affecting otherpeople's work, you are obliged to take every step and measure to preventunreliable information from coming out from you.And a single note below - please don't take what I wrote personally. Treatit as something coming from professional to professional. marek
-- Xavier Beaudouin - Unix System Administrator & Projects Leader. President of Kazar Organization : http://www.kazar.net/ Please visit http://caudium.net/, home of Caudium & Camas projects _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [caudium-devel] [SECUNIA] Regarding Secunia Advisory SA13040 Xavier Beaudouin (Dec 22)