Re: [SECURITY] [DSA 2695-1] chromium-browser security update
On Sunday 02 Jun 2013 16:13:43 Michael Gilbert wrote:
> On Sun, Jun 2, 2013 at 9:32 AM, Nick Boyce wrote:
>
> > On Wednesday 29 May 2013 15:23:54 Michael Gilbert wrote:
> >
> >> or possibly have unspecified other impact via unknown vectors.
> >
> > I'm just wondering ... is that Google language for "or possibly allow
> > remote code execution" ?
[...]
> That is the intentionally vague language of CVE (e.g.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2837).
[...]
> In terms of chromium, your best bet is simply to wait for the bugs to
> become unembargoed (e.g.
> https://code.google.com/p/chromium/issues/detail?id=235638).
Thanks. It's just that I tend to expect that by the time a security fix is
released, those bugs *are* unembargoed, researchers are poring over code diffs,
and clear descriptions are usually forthcoming cos there's no longer any point
in being coy. For instance, by the time a Firefox release is made Mozilla
states explicitly in the release information whether or not each bug could
cause rce. Same thing for Microsoft.
It occurred to me maybe - for whatever reason - Google Corp has devised its
own vocabulary for these things; sort of like Oracle Corp never calling a
spade a spade in these matters. Or the kernel team [ducks quickly] :)
I understand the Mitre people's predicament about the analysis workload though
.... [gulp].
Cheers,
Nick
--
Firefox 3.6? Dude we're on 8.0 now. You're like 3 weeks behind !
Reply to: