[Mailman-Users] any info on this reported exploit?
Brad Knowles
brad at stop.mail-abuse.org
Sat Jan 28 19:34:22 CET 2006
At 10:31 AM -0500 2006-01-28, Jim Popovitch wrote:
>> But when they make that initial announcement, assuming no one else
>> has posted something to some other mailing list, they're basically firing
>> the starter's pistol for the blackhats to race to locate the bug and
>> start exploiting it before a patch can be issued.
>
> But now, you really don't know that, do you?
Sure we do. Some blackhats will already know, but there will be
others that don't -- and who would never know until the first
official announcement goes out.
No matter what, that first official announcement increases the
exposure of the security weakness. That is an unescapable universal
truth.
> OK, that's fair. But do you think they need to hold off entirely up until
> the point they have a patch pushed to *.dl.sf.net?
It depends on the nature of the weakness in question, and the
circumstances under which the patch was developed. I would say that
waiting a longer period may be appropriate in some circumstances, and
undesirable in others.
> Listen, nobody expects Tokio to be perfect. If people hadn't started
> making some noise most of us wouldn't know there is a pending patch.
Actually, you're wrong. There is no patch. There is an upgrade,
which was created a while ago -- The bug in question was fixed along
with a number of other issues.
So far as I know, this work was done without knowledge of the
so-called DoS warning, so there was never any intention of creating a
patch to resolve a problem which was already fixed.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Mailman-Users
mailing list