How good security works

Hanno's Blog

Sunday, June 17. 2007

How good security works

I recently wrote that I'm sometimes a bit unhappy how security issues are handled in free software project.

Now, to have some contrast, today I'll talk about an example how to do it right. Serendipity, the software I'm using to host this blog, had an SQL injection vulnerability. On the same day, they announced it and provide updated packages. The finder of the vulnerability is also mentioned. Now, it is only able to get password-hashes, many other projects probably would've treated this vulnerability as »low-impact« or something like that.
But beside that, they also provide some tipps how to check if the vulnerability has already been exploitet and suggest to change user passwords.

A while back, there was another vulnerability reported in serendipity. The authors said they don't think that it's really a vulnerability and it probably can't be used for anything evil. But anyway, an update was released and announced just to be sure.

Now, that's good security-work. The fact that serendipity has very few vulnerabilities at all already is very good. The fact they treat the few ones proper is even better. Some other projects should have a look at that.
Posted by Hanno Böck in Code, English, Gentoo, Linux, Security, Webdesign at 23:51 | Comment (1) | Trackbacks (0)
Defined tags for this entry: , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

hi
i took the liberty of correcting some of your mistakes, yet not all of the germanisms. please consider not writing in english. you may delete this comment if you wish.


I recently wrote about sometimes being a bit unhappy about how security issues are handled in free software projects.

Today, for a change, I'll talk about an example of how to do it right. Serendipity, the software I'm using to host this blog, had an SQL injection vulnerability. On the same day that vulnerability was disclosed, they announced it and provided patches. The discoverer of the vulnerability was mentioned, tool. Well, it is only able to disclose password-hashes. Many other projects probably would have treated this vulnerability as »low-impact« or something like that.
But apart from that, serendipity provided some tips about how to check if the vulnerability has already been exploited and suggest to change user passwords.

A while back, another serendipity vulnerability had been reported. The authors had said they didn't think that it really was a vulnerability and it probably could not be used for evil. But anyway, an update was released and announced just to be sure.

Now that's good security work. The fact that serendipity has very few vulnerabilities at all already is very good. The fact they treat the few ones proper is even better. Some other projects should have a look at that.
#1 foo on 2007-06-20 00:02 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

About

This blog is written by Hanno Böck. Unless noted otherwise, its content is licensed as CC0.

You can find my web page with links to my work as a journalist here.

I am also publishing a newsletter about climate change and decarbonization technologies.

The blog uses the free software Serendipity and is hosted at schokokeks.org.

Hanno on Mastodon | Contact / Imprint | Privacy / Datenschutz