[Mailman-Users] any info on this reported exploit?
Jim Popovitch
jimpop at yahoo.com
Sat Jan 28 20:11:41 CET 2006
Brad Knowles wrote:
>
> Some blackhats will already know, but there will be others that don't
> -- and who would never know until the first official announcement
> goes out.
>
> No matter what, that first official announcement increases the
> exposure of the security weakness. That is an unescapable universal
> truth.
'Universal truth'? I sincerely doubt that. You seem to be back on that
security through obscurity approach again. ;-) By the time the first
official announcements are released usually everybody knows something of
the issue. Take Microsoft and Redhat for good examples. I see them
release stuff all time for things I've seen mentioned elsewhere.
Microsoft tells me every week what patches they are working on and what
I can expect in the future. I don't get vulnerability specifics, but I
do get arena specifics. A good example of this was the recent WMF
vulnerability. Prior to releasing a patch MS advised customers how to
protect their systems from the exploit and gave estimates on when they
hoped to have a patch release. This was widely discussed on /., I would
be surprised if you missed it.
Again I will remind you that I am NOT asking for Mailman developers to
release details, just early info on the updates/patches. SANS/Mitre/etc
already fill us in on the vulnerabilities, what I want from
Mark/Tokio/Brandon is some feedback that they are aware and addressing
the situation and not sitting around waiting for X, Y, or Z, before they
can move forward. This isn't oversight, it's just reasonable feedback.
The whole reason for me waxing so passionately on this thread is the
earlier suggestion that Diana shouldn't have even emailed mailman-users,
but rather mailman-security and kept it quiet thereafter (this after it
was already released over at securityfocus.com).
>> OK, that's fair. But do you think they need to hold off entirely
>> up until the point they have a patch pushed to *.dl.sf.net?
>
> It depends on the nature of the weakness in question, and the
> circumstances under which the patch was developed. I would say that
> waiting a longer period may be appropriate in some circumstances,
> and undesirable in others.
Fair enough.
>> Listen, nobody expects Tokio to be perfect. If people hadn't
>> started making some noise most of us wouldn't know there is a
>> pending patch.
>
> Actually, you're wrong. There is no patch. There is an upgrade,
Patch, smatch. You are mincing words to try and make your point (which
is getting suspiciously close to mine). Again, all I'm asking for is
some pre-patch, pre-upgrade info on what to expect. Nothing more,
nothing specific, no hard dates or time limits. If this is too "secret"
to put out on mailman-users, then lets create a vetted mailman-alerts
list and at least let those that want to be informed get updates.
-Jim P.
More information about the Mailman-Users
mailing list