[Mailman-Users] security heads up - path traversal with 2.1.5

Chuq Von Rospach chuqui at plaidworks.com
Mon Feb 14 16:40:29 CET 2005

On Feb 14, 2005, at 4:24 AM, Florian Weimer wrote:


> You're trying to establish something like ownership of security bugs.

No, I'm trying to get the people on this list to follow the STANDARD 
PROTOCOL that exists for disclosure of this data, actually. Which if 
people actually paid attention to how these security issues are handled 
instead of making up rationalizations for their own mistakes, we 
wouldn't be having this discussion.

I'm not establishing ownership of security bugs. i'm trying to 
establish the protocol for how that information is WIDELY distributed. 
and that's done by, and with the consultation of, the owner of the code 
in question, unless the owner refuses to cooperate. Barry was 
cooperating, and wasn't in fact asked,b efore it was disclosed onto 
this list, which made it availble to everyone before a patch was 

it broke the standard protocols we use in these cases (some of us have 
been involved in security for a while, unlike the amateurs), and now, 
the people who did it are insisting the protocols worked out over the 
years are wrong, because they don't like them.


So excuse me if I'm grumpy. I think I'm entitled. Not as much as Barry 
is, but he's far too polite to try to get people to behave. that's my 
job around here.

More information about the Mailman-Users mailing list