Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race

from [Gadi Evron] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Date: Fri, 24 Mar 2006 12:03:59 -0600 (CST) 
On Thu, 23 Mar 2006, Eric Allman wrote:

<snip mostly relevant good replies by Mr. Allman>


Talk to the vendors.  I've seen quite a few of their advisories come 
by.


After or before it hit the news? You may be able to alert vendors, but
the problem with critical infrastructure is that is widely deployed around
the world. Releasing the way you did is irresponsible.

You can do non-disclosure for a while or full disclosure, you can't do
both.


Commentary


== personal opinion


Yes, that's true.  If it's exploitable and people don't update, then 
those people who choose to ignore the problem will be vulnerable. 
You could say that about every vulnerability that has ever existed.


Indeed. And yet blaming the user is not how you solve the problem, is it?
The Internet being insecure is a give, do you blame the Internet for
telnet not being secure, or do you create SSH?

How long before enough Sendmail servers globally are patched?


A mounth!


Are you suggesting that it would have been better for us to have 
released the problem without giving vendors any time at all to get it 
integrated?  I think that would be seriously irresponsible.


I agree, my point is that if you release, do it as soon as you can as you
ARE critical infrastructure. If you want to let vendors get something
done, wait a whole lot longer than a month.

        Gadi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow), Gadi Evron
Next by Date:  HeffnerCMS Remote Command Exucetion And Cross Scripting Attack, botan
Previous by Thread:  Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow), Eric Allman
Next by Thread:  [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow), Theo de Raadt
Indexes:  [Date] [Thread] [Top] [All Lists]