devblog

2018-06-21 14:50:20 -04:00 · 2018-06-21 14:50:20 -04:00 · 66b14b5d66
commit 66b14b5d66
parent f1b29dbeb4
2 changed files with 13 additions and 3 deletions
--- a/doc/devblog/day_499__security_hole.mdwn
+++ b/doc/devblog/day_499__security_hole.mdwn
@ -4,9 +4,9 @@ now when the security hole is disclosed.
 Security is not compositional. You can have one good feature, and add
 another good feature, and the result is not two good features, but a new
 security hole. In this case
-[[bugs/security_hole_private_data_exposure_via_addurl]]. And it can be hard
-to spot this kind of security hole, but then once it's known it
-seems blindly obvious.
+[[bugs/security_hole_private_data_exposure_via_addurl]] (CVE-2018-10857). 
+And it can be hard to spot this kind of security hole, but then once it's
+known it seems blindly obvious.

 It came to me last night and by this morning I had decided the potential
 impact was large enough to do a coordinated disclosure. Spent the first
--- a/doc/devblog/day_504__security_hole_part_6.mdwn
+++ b/doc/devblog/day_504__security_hole_part_6.mdwn
@ -0,0 +1,10 @@
+Was getting dangerously close to burnt out, or exhaustion leading to
+mistakes, so yesterday I took the day off, aside from spending the morning
+babysitting the android build every half hour. (It did finally succeed.)
+
+Today, got back into it, and implemented a fix for CVE-2018-10859 and also
+the one case of CVE-2018-10857 that had not been dealt with before.
+This fix was really a lot easier than the previous fixes for
+CVE-2018-10857.
+Unfortunately this did mean not letting URL and WORM keys be downloaded
+from many special remotes by default, which is going to be painful for some.