lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030805013616.69764BC06F@spike.porcupine.org>
Date: Mon, 4 Aug 2003 21:36:16 -0400 (EDT)
From: wietse@...cupine.org (Wietse Venema)
To: bugtraq@...urityfocus.com
Subject: Postfix: old bugs keep coming back


Bugs happen. Perhaps more unusual is that the two problems reported
today by Michal Zalewski were fixed nine or more months ago and
that the fixed code has been publically available all that time.

Number one was fixed as the accidental side effect of a code reorg.
Number two was fixed by an explicit bugfix (not thought to be
security related at the time).  Unfortunately, number two did not
feature in Michal's draft advisory that I worked off last week;
I'd happily have fixed some technical inaccuracies in his text.

This episode is a reminder that bugs don't necessarily go away even
when they are fixed.  Once the source code goes out the door you
no longer control what happens with it. The result is that people
can discover old fixed bugs in "brand-new" software.

This phenomenon is far from new. As someone told me in private
email, Robert Morris Sr. lamented that he personally had fixed some
of the security bugs in the UNIX utilities back in the late '70's,
but they were still being exploited almost 20 years later.

	Wietse


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ