Added official PAX response
This commit is contained in:
parent
df6183e291
commit
80e838ea51
22
Readme.md
22
Readme.md
@ -376,6 +376,28 @@ By finding a vulnerability in a Merchant App, in `libosal.so` or in one in the k
|
|||||||
## Reporting
|
## Reporting
|
||||||
I tried contacting several times PAX Global via email and never got a reply related to anything: neither about the security vulneabilities, neither on inquiries about the source code for the GPL licensed software (Linux/U-Boot).
|
I tried contacting several times PAX Global via email and never got a reply related to anything: neither about the security vulneabilities, neither on inquiries about the source code for the GPL licensed software (Linux/U-Boot).
|
||||||
|
|
||||||
|
### Update
|
||||||
|
Following this public disclosure PAX got in touch with me. It turned out my previous emails on June 2020 were marked as spam and never read.
|
||||||
|
Here's their official answer for the following two question:
|
||||||
|
|
||||||
|
* Don't you have a patch distribution method and a remediation plan for vulnerabilities in your devices?
|
||||||
|
|
||||||
|
```
|
||||||
|
We apply relevant security patches to all software components we use.
|
||||||
|
|
||||||
|
For vulnerabilities •Arbitrary read/write - CVE-2020-28044, •ELF signature bypass - CVE-2020-28045 and •Root privesc - CVE-2020-28046, we have fixed them these days and the firmware is under releasing.
|
||||||
|
|
||||||
|
For vulnerabilities "Dirty COW", our kernel had "Dirty COW" patch included once CVE-2016-5195 had been published.
|
||||||
|
```
|
||||||
|
|
||||||
|
* Do you plan to release the source code, patches and build scripts for the modifications to the GPL licensed code?
|
||||||
|
|
||||||
|
```
|
||||||
|
We certainly do comply with GPL version requirements, and had provided source code at requests before several years ago. Since we do not have automated or semi-automated procedure for that, we may need up to several weeks to review and isolate our proprietary code, and adjust the build scripts for the redaction.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Fun fact
|
## Fun fact
|
||||||
I had issues understanding the `shadow` password format:
|
I had issues understanding the `shadow` password format:
|
||||||
```
|
```
|
||||||
|
Loading…
Reference in New Issue
Block a user