Security Week in Review (2007-02-25)

Sunday, March 4. 2007

Security Week in Review (2007-02-25)

This week started the Month of PHP Bugs. The goal of this project is described here. I personally feel the manner this is being conducted is irresponsible, just as all the month of bug projects have been. I don't understand what is gained by dumping one (or more) vulnerabilities a day onto the public. If the researcher wanted to report a number of security bugs in a full disclosure manner, it would make more sense to release all information at the same time, not as a trickle. By trickling the flaws over the span of a month, the users are placed at the maximum level of risk, while hopefully drawing as much attention to the project as possible.

Red Hat is currently following this project as closely as possible with the goal of minimizing the risk to our users. Our PHP maintainer, Joe Orton, is publishing his technical analysis of the flaws in bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=mopb

Security Updates

kernel
Fixed in Red Hat Enterprise Linux 4, FC5, FC6
thunderbird
Fixed in Red Hat Enterprise Linux 4
mod_jk
Fixed in Red Hat Application Stack
gnucash
Fixed in FC6
firefox
Fixed in FC6
The FC6 version of firefox was delayed by a few days due to ppc build issues.

That's it for this week. We will keep an eye on the Month of PHP Bugs project and deal with the new flaws as appropriate.

Posted by Josh Bressers in Security Week in Review at 22:00 | Comment (1) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

Why? Actually, if he disclosed all the bugs in one fell swoop, that would place the users at more risk.

And that is a non-sequitur.

And how do you know he hasn't disclosed any or all the bugs he's talked about to the php team? I don't know, you don't know. But note that the team is disfunctional and unprofessional. Just read his blog.

#1 crf on 2007-03-05 00:52 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: BBCode format allowed
	Remember Information? Subscribe to this entry