Search

About me

Johannes (Hanno) Böck
mail: hanno@hboeck.de
jabber: hanno@hboeck.de
gpg: BBB51E42
ssh: RSA, ECDSA


Hanno on Twitter
Hanno on identi.ca

Impressum

schokokeks.org



Atheist

Twitter/identi.ca

hanno: geh jetzt los zum #linuxtag

hanno: @_tillwe_ in schwierigen fällen und falls wichtig: altes windows + altes office organisieren und in virtueller maschine installieren

hanno: @_tillwe_ erstmal alternativsoftware probieren - libre/openoffice, gnumeric, calligra - irgendeins wird vermutlich einen importfilter haben

hanno: RT @moglimoglimogli: Was für eine Gesellschaft ist das, in der ein Vorhängeschloss !!! (an einer Brücke) ein Symbol für #Liebe ist ? #sperr…

hanno: Falls ihr noch an Clicktivism glaubt könntet ihr hier die Petition für Netzneutralität unterstützen http://t.co/NfcNlcFKz4

Anzeigen

Events

22.05 - 25.05 - Linuxtag
30.05 - 02.06 - GPN13 (7 Days)
04.07 - 07.07 - PQCrypto (42 Days)
05.07 - 07.07 - SIGINT (43 Days)
31.07 - 04.08 - OHM13 (69 Days)
01.10 - 02.10 - Open Access Tage (131 Days)
My pages
Picture gallery

Archives

Categories



All categories

Feeds

Tags

Creative Commons

CC0
Unless noted otherwise, all content is CC Zero / public domain

How good security works

Sunday, June 17. 2007, 23:51
I recently wrote that I'm sometimes a bit unhappy how security issues are handled in free software project.

Now, to have some contrast, today I'll talk about an example how to do it right. Serendipity, the software I'm using to host this blog, had an SQL injection vulnerability. On the same day, they announced it and provide updated packages. The finder of the vulnerability is also mentioned. Now, it is only able to get password-hashes, many other projects probably would've treated this vulnerability as »low-impact« or something like that.
But beside that, they also provide some tipps how to check if the vulnerability has already been exploitet and suggest to change user passwords.

A while back, there was another vulnerability reported in serendipity. The authors said they don't think that it's really a vulnerability and it probably can't be used for anything evil. But anyway, an update was released and announced just to be sure.

Now, that's good security-work. The fact that serendipity has very few vulnerabilities at all already is very good. The fact they treat the few ones proper is even better. Some other projects should have a look at that.
Code, English, Gentoo, Linux, Security, Webdesign | Comment (1) | Trackbacks (0)
Defined tags for this entry: , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

hi
i took the liberty of correcting some of your mistakes, yet not all of the germanisms. please consider not writing in english. you may delete this comment if you wish.


I recently wrote about sometimes being a bit unhappy about how security issues are handled in free software projects.

Today, for a change, I'll talk about an example of how to do it right. Serendipity, the software I'm using to host this blog, had an SQL injection vulnerability. On the same day that vulnerability was disclosed, they announced it and provided patches. The discoverer of the vulnerability was mentioned, tool. Well, it is only able to disclose password-hashes. Many other projects probably would have treated this vulnerability as »low-impact« or something like that.
But apart from that, serendipity provided some tips about how to check if the vulnerability has already been exploited and suggest to change user passwords.

A while back, another serendipity vulnerability had been reported. The authors had said they didn't think that it really was a vulnerability and it probably could not be used for evil. But anyway, an update was released and announced just to be sure.

Now that's good security work. The fact that serendipity has very few vulnerabilities at all already is very good. The fact they treat the few ones proper is even better. Some other projects should have a look at that.
#1 foo on 2007-06-20 00:02

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.