Dailydave mailing list archives
cvs and rsync
From: Dave Aitel <dave () immunitysec com>
Date: Wed, 19 May 2004 11:31:26 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I'm sitting around uploading the new CANVAS. It takes a while. I added the new CVS exploit, and as a bonus treat, the slightly older rsync exploit to the mix. These two are interesting because they do point out the weakspot with Open Source - a distributed software engineering infrastructure leads to real world security problems. If subversion, rsync and cvs exploits aren't a wake-up call, then I don't know what is. It's a hard problem. Why doesn't cvs have an option to gpg sign code patches? And again, if you are a hacker, are you responsible for the Open Source community's security? Is it better for freedom to have a secure Open Source infrastructure, or an insecure closed source infrastructure? - -dave P.S. Nicolas Waisman did a fantastic job on the CANVAS rsync and cvs exploits. They were...educational for us non-heap-overflow genius mortal people. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAq33NzOrqAtg8JS8RAtuHAJ9JUp6B6TdoKJXW1NBbOhzaqV7WogCeNuUp PV9IGNxTwDx4XkTdHk0CQ+A= =k/TR -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- cvs and rsync Dave Aitel (May 19)