oss-sec mailing list archives

Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

From: mancha <mancha1 () zoho com>
Date: Fri, 24 Jul 2015 15:56:25 +0000

On Thu, Jul 23, 2015 at 08:43:43PM +0200, Leif Nixon wrote:

Qualys Security Advisory <qsa () qualys com> writes:

Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release Date
for CVE-2015-3245 and CVE-2015-3246.  Please find our advisory
below, and our exploit attached.


*Why* are you releasing a full exploit just minutes after the patch is
released?

(Disclosure: I am employed by Red Hat, but this is my purely personal
question.)

-- Leif Nixon


There was absolutely nothing wrong with Qualys' timing. When the embargo
ends, it ends.  

The real problem is the underlying model: "responsible disclosure". It's
nothing more than a CYA strategy that doesn't maximize the ecosystem's
welfare. The positive-sounding name fools some into thinking it a good
thing.

--mancha

Attachment: _bin
Description:

Current thread:

Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser, (continued)
- - - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Martino Dell'Ambrogio (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Joshua Rogers (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 25)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Michal Zalewski (Jul 25)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Dave Horsfall (Jul 25)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 25)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Hanno Böck (Jul 26)
  - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brandon Perry (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 27)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Ankeet Presswala (Jul 27)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser z80 (Jul 29)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Solar Designer (Jul 29)
  - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Stephan Wiesand (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser gremlin (Jul 26)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Solar Designer (Jul 29)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Qualys Security Advisory (Jul 31)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Jeff Collins (Jul 27)