[kwlug-disc] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Chris Irwin chris at chrisirwin.ca
Thu Mar 29 11:12:35 EDT 2018


On Wed, Mar 28, 2018 at 10:51 PM, Bob Jonkman <bjonkman at sobac.com> wrote:

> Khalid wrote:
> > The FAQ is intentionally vague to make it hard(er) for exploiters.
>
> Not meaning to pile on Khalid, but that hardly seems like "full
> disclosure" to me.
>

I have no experience with Drupal, or their history of disclosure, but I
think this kind of partial disclosure is common for serious vulnerabilities.

But I like the model that Gitlab uses. They release security updates
immediately, referencing the appropriate CVEs, but wait 30 days for full
disclosure. Not that exploits will take 30 days to reverse-engineer, but it
at least should give a chance to have patched systems out there.

In the case of a super-serious flaw, they've gone as far as announcing
ahead of time that the release is coming out at XX time on YY day, and be
prepared to upgrade. For example:

https://about.gitlab.com/2018/01/12/gitlab-critical-release-preannouncement/

-- 
Chris Irwin
<chris at chrisirwin.ca>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180329/a2a6b99a/attachment.htm>


More information about the kwlug-disc mailing list