Received: by 10.36.120.18 with SMTP id s18mr381760nzc;
Fri, 11 Aug 2006 05:51:07 -0700 (PDT)
Return-Path: <ine...@gmail.com>
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178])
by mx.googlegroups.com with ESMTP id v28si737047nzb.2006.08.11.05.51.06;
Fri, 11 Aug 2006 05:51:07 -0700 (PDT)
Received-SPF: pass (googlegroups.com: domain of ine...@gmail.com designates 64.233.166.178 as permitted sender)
DomainKey-Status: good (test mode)
Received: by py-out-1112.google.com with SMTP id s49so164359pyc
for <django-developers@googlegroups.com>; Fri, 11 Aug 2006 05:51:06 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=beta; d=gmail.com;
h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
b=Knhy9UM0Cu/zWmuxTh9BnGB7f/IGWWY9Br6PMw/uczn5wNpbz+u6+AQQQaa2UcIuDAJD8zQRo1voeCqgIYjSGxVN1ySPhJM7TO3o2iqzG9bMQWwtVz90WLNTdHq4fXItdVZW57Xp0EhyQv6koBHS7fPLfDNXLqbnVleMtMk5BlE=
Received: by 10.35.100.6 with SMTP id c6mr6107152pym;
Fri, 11 Aug 2006 05:51:06 -0700 (PDT)
Received: by 10.35.66.14 with HTTP; Fri, 11 Aug 2006 05:51:06 -0700 (PDT)
Message-ID: <67e53cb40608110551u1667aae7q6540e408c4abc385@mail.gmail.com>
Date: Fri, 11 Aug 2006 09:51:06 -0300
From: "Julio Nobrega" <ine...@gmail.com>
To: django-developers@googlegroups.com
Subject: Re: If there was massive security hole found in Django, are there plans in place to deal with it?
In-Reply-To: <1155267081.731799.91730@i3g2000cwc.googlegroups.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <1155174060.345797.187240@m73g2000cwd.googlegroups.com>
<1155175996.18293.267.camel@counterweight.tredinnick.org>
<2545a92c0608092102v3433ca18n4411672b3a446787@mail.gmail.com>
<1155184718.679713.78910@i3g2000cwc.googlegroups.com>
<21787a9f0608092150y3db7563ex3aacabc9d9279ded@mail.gmail.com>
<1155230197.467211.154160@75g2000cwc.googlegroups.com>
<1155267081.731799.91...@i3g2000cwc.googlegroups.com>
On 8/11/06, e <ewea...@gmail.com> wrote:
> Even partial disclosure
> would have helped a lot (and it was definitely a possibility, since
> exploiting the flaw requires a combination of unrelated parts of the
> application stack).
For what's worth, my 0.02 cents about this part. The good thing
about partial/full disclosure is that it gives server admins more
choices, because they have more information.
I know zero about Rails, the patch, or the security hole. But I'll
be damned if there weren't several ways to mitigate the vulnerability
without applying the patches, something that doesn't happen instantly
on a production environment. From minimal servers running only RoR and
the database on another machine with a firewall filtering packages, to
Apache/Ruby permissions, logs, and backups, up to disabling some
application features while the patch is tested, leaving users without
their lovely screens for 30 minutes but preventing server damages,
there's a lot that can be done when you have more information.
I just hope that, when a security hole is found on Django (not IF.
When), we get a good overview of the problem. There are occasions when
the official patch is not even worth to apply, because it will break
features and there's another way around to fix it.
There's a lot of smart folks out there, believe in that :)
--
Julio Nobrega - http://www.inerciasensorial.com.br
Message from discussion If there was massive security hole found in Django, are there plans in place to deal with it?
| Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy |
| ©2013 Google |