| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0603250337150.19398@localhost> Date: Sat Mar 25 08:48:22 2006 From: fd at parsec.net (Todd Burroughs) Subject: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) On Fri, 24 Mar 2006, Gadi Evron wrote: > On Thu, 23 Mar 2006, Claus Assmann wrote: >>> It took Sendmail a mounth to fix this. A mounth. >> >> No. It took sendmail a week to fix this. The rest of the time was >> used to coordinate the release with all the involved vendors etc. > > There are a few choices, full disclosure and "responsible disclosure" are > some. You can't do both. Releasing it out of nowhere, obfuscated in very > ineffective way, isn't it. > > Not when it's critical infrastructure. With critical internet > infrastructure you need to be a tad bit smarter than that. How would you suggest that they release this? I think that they did it in a pretty responsible way. They where notified of the problem, they fixed it and gave vendors who use/ship the product some time to create and test patches, then it became public. This was done in a month, any longer and I would think that they would be putting us at risk, but I think that this is a very reasonable response. 0Day full-disclosure eith a 'sploit would have been more trouble for me ;-) (I'm probably not alone with that). Todd
Powered by blists - more mailing lists