[arch-security] Openssl flaw

Timothée Ravier siosm99 at gmail.com
Tue Apr 8 09:43:49 EDT 2014


On 08/04/2014 15:34, G. Schlisio wrote:
>> Why?  Just list every piece of software since the day it was first
>> released.  That would be accurate.
> 
> i'm not sure, we understand each other.
> if i understand you correct, you think, that vulns are in the software
> mainly from the beginning until they are fixed.
> but in this special case it was introduced with a new release.
> my point was, that the exposure time might be an important information.
> a long exposure like in this case means, that this vuln could have been
> exploited systematically, while an exposure time of a day makes
> widespread exploits far less likely.

I agree with Allan here :

> I added this column in the wiki for tracking the responsiveness of
> the packagers to handling security issues to see where we can
> improve.

What matters for us to track is the time it takes for us to notice and
for Arch packagers to fix the issue once it has been disclosed.

Finding how long a specific vulnerability has been available and
exploitable is a generic information not related to Arch Linux.

I'm not against adding it to the wiki as a separated column.

By the way, there is another minor issue, the Update/Bug column has a
double usage, maybe we should split this one in two.

-- 
Timothée Ravier


More information about the arch-security mailing list