[Mailman-Users] any info on this reported exploit?

Sat Jan 28 20:11:41 CET 2006

Brad Knowles wrote:
> 
> Some blackhats will already know, but there will be others that don't
> -- and who would never know until the first official announcement
> goes out.
> 
> No matter what, that first official announcement increases the 
> exposure of the security weakness.  That is an unescapable universal
> truth.

'Universal truth'?  I sincerely doubt that.  You seem to be back on that 
security through obscurity approach again. ;-)  By the time the first 
official announcements are released usually everybody knows something of 
the issue.  Take Microsoft and Redhat for good examples.  I see them 
release stuff all time for things I've seen mentioned elsewhere. 
Microsoft tells me every week what patches they are working on and what 
I can expect in the future.  I don't get vulnerability specifics, but I 
do get arena specifics.  A good example of this was the recent WMF 
vulnerability.  Prior to releasing a patch MS advised customers how to 
protect their systems from the exploit and gave estimates on when they 
hoped to have a patch release.  This was widely discussed on /., I would 
be surprised if you missed it.

Again I will remind you that I am NOT asking for Mailman developers to 
release details, just early info on the updates/patches.  SANS/Mitre/etc 
already fill us in on the vulnerabilities, what I want from 
Mark/Tokio/Brandon is some feedback that they are aware and addressing 
the situation and not sitting around waiting for X, Y, or Z, before they 
can move forward.  This isn't oversight, it's just reasonable feedback.

The whole reason for me waxing so passionately on this thread is the 
earlier suggestion that Diana shouldn't have even emailed mailman-users, 
but rather mailman-security and kept it quiet thereafter (this after it 
was already released over at securityfocus.com).

>> OK, that's fair.  But do you think they need to hold off entirely
>> up until the point they have a patch pushed to *.dl.sf.net?
> 
> It depends on the nature of the weakness in question, and the 
> circumstances under which the patch was developed.  I would say that
>  waiting a longer period may be appropriate in some circumstances,
> and undesirable in others.

Fair enough.

>> Listen, nobody expects Tokio to be perfect.  If people hadn't
>> started making some noise most of us wouldn't know there is a
>> pending patch.
> 
> Actually, you're wrong.  There is no patch.  There is an upgrade,

Patch, smatch.  You are mincing words to try and make your point (which 
is getting suspiciously close to mine).  Again, all I'm asking for is 
some pre-patch, pre-upgrade info on what to expect.  Nothing more, 
nothing specific, no hard dates or time limits.  If this is too "secret" 
to put out on mailman-users, then lets create a vetted mailman-alerts 
list and at least let those that want to be informed get updates.

-Jim P.