PaX Team · Jun 19, 2017 · 3:38 PM UTC

PaX Team @paxteam

19 Jun 2017

Red Hat's @kurtseifried thinks that 200 hours of brute force is a defense failure. smells like sour grapes for having ignored the problem.

PaX Team · Jun 19, 2017 · 3:45 PM UTC

PaX Team @paxteam

19 Jun 2017

it's in the advisory: "it has a good chance of gaining eip control after 2^17 * 5.5 seconds = 200 hours"

PaX Team · Jun 19, 2017 · 3:49 PM UTC

PaX Team · Jun 19, 2017 · 3:49 PM UTC

PaX Team @paxteam

19 Jun 2017

you gave it a CVE, not Qualys. since you failed to discuss it with us, now's the time (to rescind it).

Jun 19, 2017 · 3:49 PM UTC