On Thu, Oct 20, 2005 at 01:20:59PM +0000, bannedit@xxxxxxxxxxxxxxx wrote:
> I just released a vulnerability last night so hopefully the security
> team considers it worthy of a DSA. How long does it usually take for a
> DSA to be created and released?
Can take days, or weeks. It really depends. Partly it is down to:
* How obvious the hole is.
* How simple the patch is.
* (Whether there is a patch available at all).
* Whether the team can manage it immediately, or need maintainer help.
* Exactly how many other advisories are pending.
In a case like the report you made I'd expect it to take a while.
You're certainly correct that there is a hole, and that it should
be changed - but without it being obviously exploitable or containing
a patch it'll be a bit of work to fix it up.
Then there's coordination with other vendors who ship the same
product, and upstream. So .. more delays.
> What is everyones thoughts on creating proof of concept.
I like them. I tend to get bored easily though, so whilst I will
often write something to exploit a hole I don't often share it.
I used to followup to bugtraq after an advisory had been released
with more details, or an exploit, but now I don't often bother. I
get sick of the 40+ "out of office" mails I tend to recieve when
posting there :(
> I realize it can be a good thing or a bad thing.
I guess that comes down to how copmlete it is. I've seen some
"crippled" exploits, although I question their effectiveness.
> I like making POC for the majority
> of the flaws I find just to prove to myself its actually exploitable.
Ditto.
> I do realize that even if its not exploitable in most cases the code
> should be changed or atleast thats my feelings. If it looks vulnerable
> it probably is and if it isn't it may become vulnerable later on due to
> library changes or other external changes.
Right.
Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/
|
| 
