Re: Proposal
On Wed, Apr 9, 2014 at 11:37 AM, Joe Holden wrote:
> 24 hours for a fix that doesn't break ABI and is relatively simple (and
> proven to be fine by other distros) is horrendous for such a critical
> problem. I mentioned this on twitter also, but there wasn't even a headsup
> from the SO until the patch went live.
>
To give this some additional perspective, it took me approximately 30
minutes to write a working exploit.
Everyone makes a big deal out of private keys (which, admittedly, are a big
deal), but i was able to collect usernames, passwords, session credentials,
back-end single-sign-on credentials (e.g. client tokens), database
passwords, and more from affected hosts -- all quite easily.
ari
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 14 之 37 篇):