[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

>>> On 04.07.12 at 14:36, George Dunlap <George.Dunlap@xxxxxxxxxxxxx> wrote:
> The only caveat I can think of is that it may increase the risk,
> during the time between the predisclosure and the public announcement,
> for those not on the list.  We can basically assume that the list will
> have some blackhats.  If the timeframe is anywhere near what some
> people have asked for (e.g., 3-4 weeks), then it might become
> worthwhile for people to develop an exploit to take advantage of
> people during that timeframe.  This might be an acceptable cost, since
> those people *could* be on the list of they wanted.

Being on the list doesn't make you non-susceptible. Such an
approach, imo, would need to imply permission to anyone on
the list to deploy a fix as soon as it is available. But since
distros can't ship binaries without also making sources available,
that's a contradiction by itself.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.