Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Strange CVE situation (at least one ID should come of this)
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 30 Oct 2012 14:28:08 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/30/2012 11:39 AM, Henri Salo wrote:
On Tue, Oct 30, 2012 at 01:34:07PM -0400, Steven M. Christey
wrote:
Perhaps the OSS community could borrow an idea from one of the 
framework vendors with lots of third-party modules - I forget if
it was Joomla or Drupal - who actively maintained a list of
poorly maintained or obsolete software.

There is at least http://docs.joomla.org/Vulnerable_Extensions_List
and Drupal is coordinating contrib modules too (code reviews,
advisories, etc). I don't know if Joomla security guys handle
vulnerable extensions in some level or not.

- Henri Salo

Does Drupal throw up a warning if you try to use one of these extensions?

It occurs to me we need a mechanism similar to CRL/OCSP for software,
especially things with plugins like Drupal/WordPress/Firefox/Chrome so
that we can at least warn users of bad software.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQkDhYAAoJEBYNRVNeJnmTPpYP/jL2WyeKwCZLEbWR0jb84cd6
Z+qJ/g9XvMicZr7n8n4huNqBF1K4eZ8/GN+JSj53XA8WA/CWFfpZ6POMxbxzQnq4
nVGl6iB4/mnnRFHMcCejAwV/bNi5W2yOlAkVBwbzPc2UM2X2iG3vEWOs+m8AfT0E
Psde9Mj2X7hoVNy/nH0uIgPomQIT0ErIPYv/4fJgROKoIQGCWF7JG9WiWGboHNfd
lnxYDrC0JLB2EG1P3aFarL6LRCIXyC7C344TbRd4l3Ye6H99Auw8ZheSbiYlITUH
HDlUj/PemXruY04p4CLymXklGKIqi9ZTpfPnpHJyyMn4U3kdgM/ZE7hFlT1xl7mu
8/qvGj772E942LUrnpGmW3iATVOkBzmEg7IjOOiAzW9XsujV4Nmpsm1B1+GFOded
u9FnUDoJa4oqpY0zkr2YI43UzfIV+vb0lBdrAQsxk3xame/8lgJSh7nw90PjKV8p
oulkVDcqpnZoleflztgloGP0CqxBF91AoDOyPLX2UygopYCt8FvvcMCUhIupS1HO
0HBsHP+karYpnh3R0MO67UVcaN+h93Pd98Zzyr23mnnLMdvxXC4e2pUPDBFObqkH
UaB2eTqZVPaa1swOT5Z5lRJLU6BDwW/ITD6odg7tuxi64go18PPK1O3EBdz8bs9V
2ntc+2tdD5xT95aAAiS7
=qntM
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]