Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS,

• From: Alain Hebert
• Date: Fri Mar 24 23:09:15 2006

[email protected] wrote:

I wonder how many other unreported silently-patched
vulnerabilities are out there?

You seem to be inferring that it is a bad thing to silently
patch bugs which may have security implications. The OpenBSD

Full disclosure, we believe in it.

team makes a habit of auditing software for flaws and fixing
them without waiting to find out whether they create actual
security vulnerabilities. They consider this to be a GOOD thing.

It is a good thing.

I think that people who use software also consider it to
be good for software flaws to be fixed as quickly as possible.
Inevitably, this means that if the DEVELOPERS discover a flaw, they will fix it before they tell anyone about it. The
reason that security researchers publish bulletins about
security flaws is because they are unable to fix them either due to lack of skill, or more commonly, they just don't have permission to commit changes to the source code.

Network operators are users of software and not developers,
therefore most network operators are happy when flaws are
fixed early and often.

I wonder if the same network operators will be happy about potentially millions of compromised sendmail servers globally.

• Follow-Ups:
  • Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Randy Bush

• References:
  • Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, MemoryJumps, Integer Overflow) Michael.Dillon
  • Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS,Memory Jumps, Integer Overflow) Gadi Evron

• Prev by Date: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS,Memory Jumps, Integer Overflow)
• Next by Date: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS,
• Date Index
• Thread Index
• Author Index
• Historical