[89545] in North American Network Operators' Group
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS,
daemon@ATHENA.MIT.EDU (Gadi Evron)
Fri Mar 24 22:02:31 2006
Date: Sat, 25 Mar 2006 04:59:47 +0200
From: Gadi Evron <ge@linuxbox.org>
To: Michael.Dillon@btradianz.com
Cc: nanog@merit.edu
In-Reply-To: <OF55B25B4B.22611CF9-ON8025713B.0036675B-8025713B.0036E971@btradianz.com>
Errors-To: owner-nanog@merit.edu
Michael.Dillon@btradianz.com wrote:
>>I wonder how many other unreported silently-patched
>>vulnerabilities are out there?
>
>
> You seem to be inferring that it is a bad thing to silently
> patch bugs which may have security implications. The OpenBSD
Full disclosure, we believe in it.
> team makes a habit of auditing software for flaws and fixing
> them without waiting to find out whether they create actual
> security vulnerabilities. They consider this to be a GOOD thing.
It is a good thing.
> I think that people who use software also consider it to
> be good for software flaws to be fixed as quickly as possible.
> Inevitably, this means that if the DEVELOPERS discover a
> flaw, they will fix it before they tell anyone about it. The
> reason that security researchers publish bulletins about
> security flaws is because they are unable to fix them
> either due to lack of skill, or more commonly, they just
> don't have permission to commit changes to the source code.
>
> Network operators are users of software and not developers,
> therefore most network operators are happy when flaws are
> fixed early and often.
I wonder if the same network operators will be happy about potentially
millions of compromised sendmail servers globally.
