[VIM] Non disclosure from security vendors: Truecrypt exemple (fwd)

Steven M. Christey coley at linus.mitre.org
Tue May 2 01:14:04 EDT 2006


given all the attention being paid to Microsoft/Oracle these days, I
couldn't stop myself...

---------- Forwarded message ----------
Date: Tue, 2 May 2006 01:10:16 -0400 (EDT)
From: Steven M. Christey <coley at mitre.org>
To: dailydave at lists.immunitysec.com
Subject: Re: Non disclosure from security vendors: Truecrypt exemple


Julien TINNES said:

>A few days ago I saw that a new version of Truecrypt Linux was
>released (April the 17th), and in the changelog we can see: "Improved
>security of set-euid mode of execution" in the middle of other
>improvements. It was not even in the Bug fixes section!

This occurs on a regular basis with some open source developers, in
which the only record of a security issue occurs in a terse changelog.
You could theoretically infer the changes from a diff - assuming the
previous vulnerable version is still available - but often, the
changelog is the only information you have.  (Sometimes, even the
distros are not immune from this problem.)

CVE, OSVDB, and the other refined vuln information types face this
issue frequently.  Sometimes, only "diff digging" can tell you that an
open source vendor has fixed an issue.  And a diff isn't always clear
about what the problem was.

Whether the obfuscation is accidental or intentional, this example
demonstrates how closed source does not have a monopoly on
barely-usable vulnerability information.

- Steve


More information about the VIM mailing list