Sunday, June 17. 2007
How good security works
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
hi
i took the liberty of correcting some of your mistakes, yet not all of the germanisms. please consider not writing in english. you may delete this comment if you wish.
I recently wrote about sometimes being a bit unhappy about how security issues are handled in free software projects.
Today, for a change, I'll talk about an example of how to do it right. Serendipity, the software I'm using to host this blog, had an SQL injection vulnerability. On the same day that vulnerability was disclosed, they announced it and provided patches. The discoverer of the vulnerability was mentioned, tool. Well, it is only able to disclose password-hashes. Many other projects probably would have treated this vulnerability as »low-impact« or something like that.
But apart from that, serendipity provided some tips about how to check if the vulnerability has already been exploited and suggest to change user passwords.
A while back, another serendipity vulnerability had been reported. The authors had said they didn't think that it really was a vulnerability and it probably could not be used for evil. But anyway, an update was released and announced just to be sure.
Now that's good security work. The fact that serendipity has very few vulnerabilities at all already is very good. The fact they treat the few ones proper is even better. Some other projects should have a look at that.
i took the liberty of correcting some of your mistakes, yet not all of the germanisms. please consider not writing in english. you may delete this comment if you wish.
I recently wrote about sometimes being a bit unhappy about how security issues are handled in free software projects.
Today, for a change, I'll talk about an example of how to do it right. Serendipity, the software I'm using to host this blog, had an SQL injection vulnerability. On the same day that vulnerability was disclosed, they announced it and provided patches. The discoverer of the vulnerability was mentioned, tool. Well, it is only able to disclose password-hashes. Many other projects probably would have treated this vulnerability as »low-impact« or something like that.
But apart from that, serendipity provided some tips about how to check if the vulnerability has already been exploited and suggest to change user passwords.
A while back, another serendipity vulnerability had been reported. The authors had said they didn't think that it really was a vulnerability and it probably could not be used for evil. But anyway, an update was released and announced just to be sure.
Now that's good security work. The fact that serendipity has very few vulnerabilities at all already is very good. The fact they treat the few ones proper is even better. Some other projects should have a look at that.
About me
You can find my web page with links to my work as a journalist at https://hboeck.de/.
You may also find my newsletter about climate change and decarbonization technologies interesting.
Hanno Böck
mail: hanno@hboeck.de
Hanno on Mastodon
Impressum
You may also find my newsletter about climate change and decarbonization technologies interesting.
Hanno Böck
mail: hanno@hboeck.de
Hanno on Mastodon
Impressum
Creative Commons
Unless noted otherwise, all content is CC Zero / public domain
