Procedure for handling actively exploited security bugs with patches?

Sun Feb 10 21:17:32 UTC 2008

On Feb 10, 2008 1:59 PM, Andrew Farris <lordmorgul at gmail.com> wrote:
>
> Stephen John Smoogen wrote:
> > On Feb 9, 2008 12:11 PM, Lubomir Kundrak <lkundrak at redhat.com> wrote:
> >> Hi,
> >>
> >> On Fri, 2008-02-08 at 21:16 -0800, Bryan O'Sullivan wrote:
> >>> A bug in a piece of widely used PHP-based software was announced a few
> >>> days ago, and it's now being actively exploited by spammers:
> >>>
> >>> http://wordpress.org/development/2008/02/wordpress-233/
> >>>
> >>> Affected machines include my server, which is running F-8.  Eep.
> >> Pardon me -- my point of view is by using wordpress you voluntary agree
> >> to get exploited, and no wordpress vulnerability is ever to be
> >> considered as having priority higher than low.
> >>
> > ...
> >
> >> Please note that responsible configuration in most cases implies no
> >> WordPress. Don't get me wrong please -- look at its security track.
> >>
> >> PS: Note we may be on during weekends too anyways -- as I am now.
> >> Remember we fixed a security issue on Christmas Eve.
> >>
> >> Thanks,
> >> --
> >> Lubomir Kundrak (Red Hat Security Response Team)
> >>
> >
> > Wow I would say the same thing about the kernel. I mean look at its
> > track record.. over the last 6 months and many years there have been
> > tons of security updates for it. Are there any packages that don't hit
> > that litmus check (other than maybe DJB software)?
> >
> > People use the tools that are useful for them. The job of a security
> > professional is to help them make better choices. In some cases that
> > is making the tool better, in other cases it is finding them a better
> > tool to work with. Commenting about how one feels a software choice
> > was poor when that person is dealing with a crisis, does not help the
> > person affected at all, and gives in this case Red Hat, Fedora, and
> > other security professionals a bad name.
>
> Nevertheless any security professional has limited resources and time, and they
> must choose to fix what can be fixed in some order given those resources... and
> it is *absolutely reasonable* to consider a piece of software with a record of
> having many poor coding practice caused security issues to be lower priority.

Uhm no. Poor coding practice always gets outweighed by size of use..
or we would never have patched sendmail, early versions of X, parts of
the kernel, etc over the years. Plus the fact that ahem Red Hat has
some sub-sites that might be affected by this.. says that it is a
higher priority than low.

> Nothing in Lubomir's email said he or anyone else in RH and Fedora security
> teams do not intend to fix WP problems.

I apologize for the fact that my language was very much 'holier than
though' and a better edited version should have been sent to him
directly versus on list.

-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"