North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SendGate: Sendmail Multiple Vulnerabilities (Race ConditionDoS, Memory Jumps, Integer Overflow)
On Thu, 23 Mar 2006 03:41:52 -0600 (CST), Gadi Evron <[email protected]> wrote: > It took Sendmail a mounth to fix this. A mounth. > > A mounth! > > With such Vendor Responsibility, perhaps it is indeed a Good Thing to go > Full Disclosure. It seems like history is repeating itself and Full > Disclosure is once again not only a choice, but necessary to make vendors > become responsible. > Given the scope of the changes you describe -- you wrote "Sendmail.com's patch is so big they may as well have re-released the whole program." -- I can't get upset at taking a month to fix it. You're dealing with asynchronous events, which are really hard to start with. I suspect that they spent some time deciding how to fix it -- you don't appear thrilled with their choice, but I don't know what other options they considered -- and then actually tested the new code. Given how many of our security problems are due to buggy and inadequately-tested code, I suspect that taking a month was actually being quite responsible. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
|