[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Concerns about how the Security information is presented on Debian.org

Dear Max, 
I am a simple user.
Thank you for notifying the community of the unresolved Chromium vulnerabilities.
You can use official channels to report vulnerabilities. Also, if you find these vulnerabilities "dangerous" and underrated, report them to the community as you did with Chronium. You must not leave the community or unsubscribe from this mailing list.

CVE is a database managed in partnership with Homeland Security (USA) and you use an email with warrant canary. You are also an expert in social engineering, you know "Security through obscurity (STO)" (speakeasy-like). And these vulnerabilities are a good "metus hostilis" for a target.

Thank you. 

Il mar 21 dic 2021, 22:45 Max WillB <maxwillb@mailfence.com> ha scritto:
One DD replied off-the-list, so I'll quote him without attribution:

> I understand your concern, but practicality is better then theory.
>
> (...) we will get notification when vulnerabilities are exploited, and so we get priority.

It's not so theoretical:

"Google is aware that an exploit for CVE-2021-37973 exists in the wild."

https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html

This was 3 months ago. This hole is still open in Debian Stable, among many others.

>  (...) You will not find many exploitation on updated systems. And this  matter more then theory. We have a social contract to users, not to philosophers.

A good fraction of Debian 10 and 11 users are using Chromium as we speak. They probably had a look in debian.org/security at some point, but the page failed to warn them. Almost every Debian user I've interacted with mistakenly believes that Debian applies all relevant security updates to all packages.

It's pretty disappointing that of the 1000+ list subscribers no one agreed with me, publicly.

Anyway, I've said my piece, and I don't know what else I could add. I already sound like a broken record. Unsubscribing.

--
Sent with https://mailfence.com 
Secure and private email

Reply to: