Language Selection

English French German Italian Portuguese Spanish

Opera on Handling Security

Filed under
Security

Recently, some of our users have asked why we chose to disclose a potential security issue only after the release of Opera 9.10. Let me try to give a short overview on how security issues get reported and disclosed - and not only at Opera, but in most applications: it might help some people to understand how this works.

When somebody discovers a vulnerability in an application, they should report it to the vendor. It can happen that the reporters give a deadline by when they want to make full disclosure of the vulnerability, but usually the reporter and the vendor work out a disclosure date that makes both happy. If the exploit is not clear, both work on details and a PoC (proof of concept). When a fix has been made and a public release is available, both the reporter and the vendor publish an advisory. The vendor usually credits the reporter in the advisory for the discovery of the vulnerability.

It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds - and vendors do not announce vulnerabilities before the reporters makes their discovery public, in order to properly credit them.

Full Story.

More in Tux Machines

Leftovers: Software

Emulation or WINE

Fedora: The Latest

  • New "remi-php71" repository
  • PHP on the road to the 7.1.0 release
  • First round of Fedora 24 Updated Lives now available. (torrents expected later this week)
    As noted by my colleague on his blog the first round of F24 Updated Lives are now available and carry the date 20160720, Also as mentioned last week on his blog F23 Respins are not going to be actively made, however we and the rest of the volunteer team will field off-off requests as time and resources permit. We are considering a new/second tracker for the Updated Spins but as of today there are only .ISO files available at https://alt.fedoraproject.org/pub/alt/live-respins [shortlink] F24 Live-Respins . The F24 respins carry the 4.6.4-200 Kernel and roughly ~500M of updates since the Gold ISOs were released just 5 weeks ago. (some ISOs have more updates, some less)

Leftovers: Ubuntu

  • Snappy Packaging Happenings In The Fedora, Arch Space
    This week Canonical hosted a Snappy Sprint in Heidelberg, Germany where they worked to further their new package management solution originally spearheaded for Ubuntu Touch. This wasn't an Ubuntu-only event, but Canonical did invite other distribution stakeholders. Coming out of this week's event were at least positive moments to share for both Arch and Fedora developers. The Arch snaps package guy made progress on snap confinement on Arch. Currently when using Snaps on Arch, there isn't any confinement support, which defeats some of the purpose. There isn't any confinement support since it relies upon some functionality in the Ubuntu-patched AppArmor with that code not yet being mainlined. Arch's Timothy Redaelli has got those AppArmor patches now running via some AUR packages. Thus it's possible to get snap confinement working on Arch, but it's not yet too pleasant of an experience.
  • PhantomJS 2.1.1 in Ubuntu different from upstream
    At the moment of this writing Vitaly's qtwebkit fork is 28 commits ahead and 39 commits behind qt:dev. I'm surprised Ubuntu's PhantomJS even works.
  • Ubuntu 16.04.1 LTS released
    Ubuntu 16.04 is a LTS version of Ubuntu.Now Ubuntu team has announced the release of it's first point release,Ubuntu 16.04.1.This first point release includes many updates containing bug fixes and fixing security issues as well and as always what most of users want from a distribution and most of distributions tries to perform,Stability.This release is also well focoused on stabilty as Ubuntu 16.04.