On Thu, Oct 20, 2005 at 01:20:59PM +0000, bannedit@xxxxxxxxxxxxxxx wrote:
I just released a vulnerability last night so hopefully the security
team considers it worthy of a DSA. How long does it usually take for a
DSA to be created and released?
Can take days, or weeks. It really depends. Partly it is down to:
* How obvious the hole is.
* How simple the patch is.
* (Whether there is a patch available at all).
* Whether the team can manage it immediately, or need maintainer help.
* Exactly how many other advisories are pending.
In a case like the report you made I'd expect it to take a while.
You're certainly correct that there is a hole, and that it should
be changed - but without it being obviously exploitable or containing
a patch it'll be a bit of work to fix it up.
Then there's coordination with other vendors who ship the same
product, and upstream. So .. more delays.
What is everyones thoughts on creating proof of concept.
I like them. I tend to get bored easily though, so whilst I will
often write something to exploit a hole I don't often share it.
I used to followup to bugtraq after an advisory had been released
with more details, or an exploit, but now I don't often bother. I
get sick of the 40+ "out of office" mails I tend to recieve when
posting there :(
I realize it can be a good thing or a bad thing.
I guess that comes down to how copmlete it is. I've seen some
"crippled" exploits, although I question their effectiveness.
I like making POC for the majority
of the flaws I find just to prove to myself its actually exploitable.
Ditto.
I do realize that even if its not exploitable in most cases the code
should be changed or atleast thats my feelings. If it looks vulnerable
it probably is and if it isn't it may become vulnerable later on due to
library changes or other external changes.
Right.
Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/
