[Mailman-Users] security heads up - path traversal with 2.1.5
Chuq Von Rospach
chuqui at plaidworks.com
Mon Feb 14 16:40:29 CET 2005
On Feb 14, 2005, at 4:24 AM, Florian Weimer wrote:
> You're trying to establish something like ownership of security bugs.
No, I'm trying to get the people on this list to follow the STANDARD
PROTOCOL that exists for disclosure of this data, actually. Which if
people actually paid attention to how these security issues are handled
instead of making up rationalizations for their own mistakes, we
wouldn't be having this discussion.
I'm not establishing ownership of security bugs. i'm trying to
establish the protocol for how that information is WIDELY distributed.
and that's done by, and with the consultation of, the owner of the code
in question, unless the owner refuses to cooperate. Barry was
cooperating, and wasn't in fact asked,b efore it was disclosed onto
this list, which made it availble to everyone before a patch was
it broke the standard protocols we use in these cases (some of us have
been involved in security for a while, unlike the amateurs), and now,
the people who did it are insisting the protocols worked out over the
years are wrong, because they don't like them.
So excuse me if I'm grumpy. I think I'm entitled. Not as much as Barry
is, but he's far too polite to try to get people to behave. that's my
job around here.
More information about the Mailman-Users