Re: [caudium-devel] [SECUNIA] Regarding Secunia Advisory SA13040

[Xavier Beaudouin <kiwi () oav net>]

Début du message réexpédié :

> De: Marek Habersack <grendel () caudium net>
> Date: 22 décembre 2004 15:12:22 GMT+01:00
> À: caudium-devel () caudium net
> Cc: kiwi () caudium net, vuln () secunia com, vulnwatch () vulnwatch org, Full 
> Disclosure <full-disclosure () lists netsys com>
> Objet: Rép : [caudium-devel] [SECUNIA] Regarding Secunia Advisory 
> SA13040
> Répondre à: caudium-devel () caudium net
>
> On Wed, Dec 22, 2004 at 02:47:30PM +0100, Thomas Kristensen scribbled:
> > Hi Xavier,
> >
> > The information in Secunia Advisory SA13040 is based on your own
> > Changelog at Sourceforge.
> >
> > SA13040:
> > http://secunia.com/SA13040
> >
> > On 30th November you wrote to Secunia that this only affected the 1.4
> > branch. One hour later Secunia updated the advisory to reflect this 
> > and
> > you received an answer with a confirmation that we had updated the
> > advisory.
> You should have done that in the first place - before posting any
> information about bugs. By releasing such erroneous advisories you do a
> malservice to both the vendors and the community. One effect of your
> advisory was that nessus started flagging all scanned machines running
> Caudium as vulnerable. That, for some people, generated costs in real 
> money
> - all because of your lack of willingness to provide the community 
> with the
> accurate and trustworthy information. Personally, I will regard any 
> other
> advisory from Secunia as unreliable.
>
> > If you spotted any other omissions back then, you could have contacted
> > us again - obviously you didn't.
> >
> >
> > Additionally, any information listed in product changelogs is 
> > considered
> > public knowledge. Naturally, we don't contact vendors before issuing
> > advisories based on information in their own changelogs / release 
> > notes.
> Do you find is as natural not to perform any tests to confirm your 
> advisory?
> Also, is it customary to release advisories about non-released or
> development projects that are moving targets? I suppose we will have to
> forget about the OSS rule "release soon, release often" - since any 
> bug in a
> development (CVS/SVN/Arch/whatever) version will be considered a 
> serious
> security threat.
>
> > Also, we are not going to remove this advisory, as it is based on your
> > own information. However, if you have any relevant additional
> > information, we will naturally review them and update the advisory
> > accordingly.
> I can see a splendid opportunity to fool Secunia. I will start putting 
> false
> changelog entries in our repositories announcing all kinds of grave and
> serious errors. I would love if other vendors start doing that as well 
> - I
> wonder how would you, as professionals, look if it started to turn out 
> that
> your "advisories" are cut-and-paste's from vendor development 
> changelogs -
> untested, unconfirmed, unchecked.
>
> > Kind regards,
> best regards and I hope you will take the time during the upcoming 
> holidays
> to think about the way you do your work - since it is affecting other
> people's work, you are obliged to take every step and measure to 
> prevent
> unreliable information from coming out from you.
>
> And a single note below - please don't take what I wrote personally. 
> Treat
> it as something coming from professional to professional.
>
> marek
--
Xavier Beaudouin - Unix System Administrator & Projects Leader.
President of Kazar Organization : http://www.kazar.net/
Please visit http://caudium.net/, home of Caudium & Camas projects


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html