httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: [VOTE] obscuring (or not) commit logs/CHANGES for fixes to vulnerabilities
Date Fri, 10 Jan 2014 14:53:38 GMT
+1

in some cases re-consider if a used option is really needed
and disable it may close a vulnerability, the admin only
needs to know that there is danger

Am 10.01.2014 15:24, schrieb Jim Jagielski:
> +1
> On Jan 10, 2014, at 8:44 AM, Jeff Trawick <trawick@gmail.com> wrote:
> 
>> [X] It is mandatory to provide best available description and any available tracking
information when committing fixes for vulnerabilities to any branch, delaying committing of
the fix if the information shouldn't be provided yet.
>>
>> --/--
>>
>> IMO it is not appropriate to let skilled attackers see a code change (which they
can analyze to determine if there is an impact that they can exploit) if you are not going
to make it possible for the general user community looking at the same commit activity to
decide if they need to take an action.



Mime
View raw message