[Mailman-Users] security heads up - path traversal with 2.1.5
brad at stop.mail-abuse.org
Thu Feb 10 02:32:18 CET 2005
At 12:31 AM +0100 2005-02-10, Kai Schaetzl wrote:
>> Either way, something like this should have been left to the project
>> developers (i.e. barry) to disclose.
> Correct. But it's out and it's not Ron to blame, so I don't see a reason
> for slapping Ron for posting it finally to the list.
There are two sides to this matter. You are correct, that the
public posting has been made, and the blackhats presumably already
know about it. They're more likely to be monitoring the
full-disclosure list than this one, anyway.
However, I also take Chuq's point that all security announcements
to this list, and all related mailman mailing lists hosted on
python.org, should be made by Barry or one of the other core
developers. Even if the information has been publicly released
elsewhere, it is not appropriate to post it here unless you are one
of those people.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the Mailman-Users