Dailydave mailing list archives
Re: Non disclosure from security vendors: Truecrypt exemple
From: "Steven M. Christey" <coley () mitre org>
Date: Tue, 2 May 2006 01:10:16 -0400 (EDT)
Julien TINNES said:
A few days ago I saw that a new version of Truecrypt Linux was released (April the 17th), and in the changelog we can see: "Improved security of set-euid mode of execution" in the middle of other improvements. It was not even in the Bug fixes section!
This occurs on a regular basis with some open source developers, in which the only record of a security issue occurs in a terse changelog. You could theoretically infer the changes from a diff - assuming the previous vulnerable version is still available - but often, the changelog is the only information you have. (Sometimes, even the distros are not immune from this problem.) CVE, OSVDB, and the other refined vuln information types face this issue frequently. Sometimes, only "diff digging" can tell you that an open source vendor has fixed an issue. And a diff isn't always clear about what the problem was. Whether the obfuscation is accidental or intentional, this example demonstrates how closed source does not have a monopoly on barely-usable vulnerability information. - Steve
Current thread:
- Re: Non disclosure from security vendors: Truecrypt exemple Steven M. Christey (May 01)