Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement - make-3.77
  • From: Rune Kristian Viken <arcade@xxxxxxxxxxxxx>
  • Date: Wed, 8 Mar 2000 12:55:32 +0100
  • Message-id: <00030813003104.20307@xxxxxxxxxxxxxxxxxxx>
On Tue, 07 Mar 2000, you wrote:

>> So I tell you that you should use qmail because the latest sendmail is
>> crackable. Is this true, or am I just spreading FUD? An exploit allows
>> admins to try it on their systems.
> I don't care if it is a FUD or not. I only react to those mails
> originating from SuSE or the real vendors of the programs. These are of
> course the parties that need the exploits to verify the bug, and then
> send the _official_ security issues.

No.

What was the average RedHat response time? 10 days or something? From
publication of bug, to patch.. (Microsoft was 14 or 16 days or something).

I don't want to wait 10 days for that information. I want to read it when the
bug is discovered. I want to be able to shut down the daemon, and/or patch it
within 24 hours of the publication.

> If you find a bug, let the authors know first. If this does not work,
> then stop using their product, maybe make your own.

So, when I find the bug, I should send a notice to the author, and say nothing
to the thousands of users of the product? Letting them live with a vulnerable
server? No way. They have the right to know.

> And if the time taken by this process is an issue, think if you are
> really the first to know about the bug anyway?

You cannot know that for sure.

> If you find out that doorlocks can be picked, you should not go out and
> nail posters around telling _how_ it can be done, but you should inform
> the makers of the locks and the shops that sell them, which take contact
> with the customers. Or so I think I would do.

Yes I should. I should tell it to everyone, so that people change their locks
ASAP.

> No, because 'this kind of public' seems to be backstabbing you. Why not
> ask first and fire the shotguns later?

Its got nothing, NOTHING to do with backstabbing. Its got everything to do
with *informing the public*. If it feels like backstabbing to the programmer,
bad for him. Thats his problem. I don't want thousands of users of the
program to be vulnerable, just to protect the programmers back.


--
"Rune Kristian Viken" <arcade@xxxxxxxxxxxxx> / arcade@irc (EFnet/IRCnet)
Kvinesdalsnett System Administrator (http://arcade.kvinesdal.com/)

< Previous Next >
List Navigation
Follow Ups
References