Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Re^5: 5.18.0 is available NOW!

by Anonymous Monk
on May 20, 2013 at 20:36 UTC ( [id://1034403]=note: print w/replies, xml ) Need Help??


in reply to Re^4: 5.18.0 is available NOW!
in thread 5.18.0 is available NOW!

  1. Yes. Yes. Yes
  2. No. No. No.
  3. Only is irrelevant. Only is irrelevant. Yes. No.

Replies are listed 'Best First'.
Re^6: 5.18.0 is available NOW!
by BrowserUk (Patriarch) on May 21, 2013 at 06:21 UTC

    Where is the proof of concept code? (Without it, this is nothing more that idle speculation that has cost a lot of people a lot of time and effort.)


    With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.
      where is your patch to provide an alternate?

        Two problems with that retort:

        1. It would be hard to code a patch to handle an attack vector that -- to the best of my ability to discover; and despite requests for further information and a promise of "I would release a full-disclosure document in the middle to last week of march." -- it seems has never been publicly described, let alone demonstrated.

          Indeed -- whilst I'm still waiting to hear back from mitre (CVE DB maintainers) and a couple of other likely organisations -- I can find no trace that anyone other than demerphq has ever been made party to the details of the vulnerability.

        2. Also, based upon the scant information I have been able to glean -- and a lot of unfortunately necessary supposition -- it seems likely that any one of several one-line patches might serve to totally mitigate the possibility of CVE-2013-1667.

          With the added upside that almost none of the pain caused by the implemented solution would have been necessary.

        I'm preparing a paper -- which will probably come in 4 or 5 parts -- now. But it would surely be easier, and maybe even unnecessary, if disclosure were made.


        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.
Re^6: 5.18.0 is available NOW!
by BrowserUk (Patriarch) on May 20, 2013 at 21:53 UTC

    Wrong on every count. And posting anonymously proves it.


    With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1034403]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (7)
As of 2024-03-19 10:15 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found