[thelist] News Item: Major Security Flaw in CVS

Jason Handby jasonh at pavilion.co.uk
Fri Jan 24 04:08:01 CST 2003


> We could go on and on debating the various merits of both open source
> and commercial software, but when it comes to overall product security
> and the speed at which vulnerabilities are repaired, OSS has the
> commercial world beat by a long shot. Remote exploits go unfixed for
> *months* in the world of big, expensive applications. Rarely (if ever)
> is that the case with OSS.

The famous exception, of course, being the vulnerability in all BSD-derived
versions of telnetd (the UNIX/Linux telnet daemon). This buffer overrun had
existed for years before anyone noticed it was there.

  http://www.cert.org/advisories/CA-2001-21.html

I wonder if that points up a weakness with the open-source code review
process: people only spend time looking at code that's cutting-edge or
"sexy", and telnetd clearly isn't sexy... At Microsoft (for example)
programmers don't revisit and re-examine code because it's sexy; they do it
because they're paid to. This might mean it's not done as thoroughly or as
fast in many cases, but perhaps it guarantees that it's actually done at
all!



Jason




More information about the thelist mailing list