Proposal
ari edelkind
edelkind-list-freebsd-security at episec.com
Wed Apr 9 16:18:22 UTC 2014
On Wed, Apr 9, 2014 at 11:37 AM, Joe Holden wrote:
> 24 hours for a fix that doesn't break ABI and is relatively simple (and
> proven to be fine by other distros) is horrendous for such a critical
> problem. I mentioned this on twitter also, but there wasn't even a headsup
> from the SO until the patch went live.
>
To give this some additional perspective, it took me approximately 30
minutes to write a working exploit.
Everyone makes a big deal out of private keys (which, admittedly, are a big
deal), but i was able to collect usernames, passwords, session credentials,
back-end single-sign-on credentials (e.g. client tokens), database
passwords, and more from affected hosts -- all quite easily.
ari
More information about the freebsd-security
mailing list