lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0603250337150.19398@localhost>
Date: Sat, 25 Mar 2006 03:47:26 -0500 (EST)
From: Todd Burroughs <fd@...sec.net>
To: Gadi Evron <ge@...uxbox.org>
Cc: Claus Assmann <ca+bugtraq@...doc.endmail.org>, bugtraq@...urityfocus.com
Subject: Re: SendGate: Sendmail Multiple Vulnerabilities
 (Race Condition DoS, Memory Jumps, Integer Overflow)


On Fri, 24 Mar 2006, Gadi Evron wrote:
> On Thu, 23 Mar 2006, Claus Assmann wrote:
>>> It took Sendmail a mounth to fix this. A mounth.
>>
>> No. It took sendmail a week to fix this.  The rest of the time was
>> used to coordinate the release with all the involved vendors etc.
>
> There are a few choices, full disclosure and "responsible disclosure" are
> some. You can't do both. Releasing it out of nowhere, obfuscated in very
> ineffective way, isn't it.
>
> Not when it's critical infrastructure. With critical internet
> infrastructure you need to be a tad bit smarter than that.

How would you suggest that they release this?

I think that they did it in a pretty responsible way.  They where
notified of the problem, they fixed it and gave vendors who use/ship
the product some time to create and test patches, then it became public.
This was done in a month, any longer and I would think that they would be
putting us at risk, but I think that this is a very reasonable response.
0Day full-disclosure eith a 'sploit would have been more trouble for me
;-)  (I'm probably not alone with that).

Todd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ