Hi Sergey, I sometimes wonder this bureaucracy!
Sergey Bugaev wrote: > but in any case, it's been two months since the fixes have been > published. Everybody should have had plenty of time to upgrade. It's > also been possible for any attackers to infer what the vulnerabilities > were from the patches, which are publicly accessible (if not in the > main Hurd tree). I think it would make sense now for me to just > publish the details of what the vulnerabilities were. It should be an > interesting read for everyone, and it would hopefully help with the > CVE process somewhat (assuming someone would be interested in it, > perhaps they even would be able to complete the process in my > absence?). And also I expect to forget the details in a year's time (I > must have already forgotten some!), so I better do it now rather than > afterwards. > > So, if anybody knows of a reason I shall not do this, speak now or > forever hold your peace! :) At this point, I would publish them. As you write, from your mitigations several could be inferred. Also, to be honest, I don't htink anybody is using HURD in something mission critical, but who knows! In that case, your patches are already a guide and the CVE will of use. Riccardo
