Language Selection

English French German Italian Portuguese Spanish

Opera on Handling Security

Filed under
Security

Recently, some of our users have asked why we chose to disclose a potential security issue only after the release of Opera 9.10. Let me try to give a short overview on how security issues get reported and disclosed - and not only at Opera, but in most applications: it might help some people to understand how this works.

When somebody discovers a vulnerability in an application, they should report it to the vendor. It can happen that the reporters give a deadline by when they want to make full disclosure of the vulnerability, but usually the reporter and the vendor work out a disclosure date that makes both happy. If the exploit is not clear, both work on details and a PoC (proof of concept). When a fix has been made and a public release is available, both the reporter and the vendor publish an advisory. The vendor usually credits the reporter in the advisory for the discovery of the vulnerability.

It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds - and vendors do not announce vulnerabilities before the reporters makes their discovery public, in order to properly credit them.

Full Story.

More in Tux Machines

Yet another GTK+ update

GTK+ 3.20 was released a while ago; we’re up to 3.20.3 now. As I tried to explain in earlier posts here and here, this was a pretty active development cycle for GTK+. We landed a lot of of new stuff, and many things have changed. I’m using the neutral term changed here for a reason. How you view changes depends a lot on your perspective. Us, who implemented the changes, are of course convinced that they are great improvements. Others who maintain GTK+ themes or applications may have a different take, since changes often imply that they have to do work to adapt. Read more

Linux Kernel 3.4.112 LTS Has Many PowerPC, x86, HFS, and HFS+ Improvements

A couple of days ago, kernel developer Zefan Li released the one hundred twelfth maintenance build of the long-term supported Linux 3.4 kernel series for stable GNU/Linux users. Read more

Gentoo-Based Sabayon 16.05 Linux OS Switches to the Latest Linux 4.5 Kernel

Earlier today, April 29, 2016, the developers of the Gentoo-based Sabayon Linux operating system have announced the release of the respin ISO images for the month of May of 2016. Read more

Octa-core Cortex-A53 hacker SBC sells for $60

FriendlyARM’s $60, open spec “NanoPC-T3” SBC runs Android or Linux on an octa-core Cortex-A53 SoC packed with wireless and media interfaces, plus 8GB eMMC. The over-caffeinated board builders at Guangzhou, China-based FriendlyARM have shipped their highest-end hacker board yet. The NanoPC-T3 is almost identical to the NanoPC-T2 board, but swaps out the quad-core, Cortex-A9 Samsung S5P4418 SoC for a layout-compatible S5P6818 with eight Cortex-A53 cores that can be clocked dynamically from 400MHz to 1.4GHz. Last month, FriendlyARM’ unveiled an $11, quad-core NanoPi M1 single board computer with similarly open source hardware and Android and Linux software. Read more