LinuxWorld.com: 'Chinese Whisper' security advisories (by Red Hat Sr. Dir. of Engineering Mark Cox)

Jan 23, 2002, 14:48 (3 Talkback[s])
(Other stories by Mark J. Cox)

"Are application developers, Linux vendors, and the media playing this game when they report vulnerabilities in open source software? I think so -- what compelled me to write this is when I reviewed how a recent security vulnerability got reported.

It is essential that security vulnerabilities get reported accurately so that affected users can make informed decisions, and so we don't get caught up in spreading unnecessary fear, uncertainty, and doubt. Since joining the security team at Red Hat, I've found many examples across the industry in which vulnerabilities were reported inaccurately. All vendors have made mistakes at some time, and no vendor seems to be any better or worse than the other. Fortunately, these mistakes do not appear to be malicious -- just the result of a game of Chinese Whispers.

A vulnerability was found in the mutt e-mail client in December 2001, and Linux vendors quickly released new versions of their mutt packages to fix the problem. However, in looking at the confusing advisory details, you would have thought each vendor had actually fixed a completely different vulnerability."

Complete Story

Related Stories:

• Debian Bugs: Social Contract: We Do Hide Problems(Jan 18, 2002)
• The Register: MS' highest priority must be security - Billg(Jan 18, 2002)
• NewsBytes.com: 'White Hat' Hackers Threaten Information Anarchy(Nov 08, 2001)
• The Register: FBI lists 20 most dangerous Internet security holes (Oct 04, 2001)
• IBM developerWorks: Improving the security of open UNIX platforms(Sep 30, 2001)