| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 25 Mar 2006 03:47:26 -0500 (EST) From: Todd Burroughs <fd@...sec.net> To: Gadi Evron <ge@...uxbox.org> Cc: Claus Assmann <ca+bugtraq@...doc.endmail.org>, bugtraq@...urityfocus.com Subject: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) On Fri, 24 Mar 2006, Gadi Evron wrote: > On Thu, 23 Mar 2006, Claus Assmann wrote: >>> It took Sendmail a mounth to fix this. A mounth. >> >> No. It took sendmail a week to fix this. The rest of the time was >> used to coordinate the release with all the involved vendors etc. > > There are a few choices, full disclosure and "responsible disclosure" are > some. You can't do both. Releasing it out of nowhere, obfuscated in very > ineffective way, isn't it. > > Not when it's critical infrastructure. With critical internet > infrastructure you need to be a tad bit smarter than that. How would you suggest that they release this? I think that they did it in a pretty responsible way. They where notified of the problem, they fixed it and gave vendors who use/ship the product some time to create and test patches, then it became public. This was done in a month, any longer and I would think that they would be putting us at risk, but I think that this is a very reasonable response. 0Day full-disclosure eith a 'sploit would have been more trouble for me ;-) (I'm probably not alone with that). Todd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists