[16495] in bugtraq
Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet
daemon@ATHENA.MIT.EDU (Dan Harkless)
Fri Sep 1 17:48:23 2000
Message-Id: <200009010050.RAA18040@dilvish.speed.net>
Date: Thu, 31 Aug 2000 17:50:08 -0700
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from "Jay D. Dyson" <jdyson@TREACHERY.NET> of "Thu, 31
Aug 2000 14:41:33 PDT."
<Pine.GSO.3.96.1000831142857.22070A-100000@crypto>
"Jay D. Dyson" <jdyson@TREACHERY.NET> writes:
> I don't typically do this, but I feel I must question the validity
> (and even the value) of issuing a DoS advisory on products that are either
> in Beta or no-longer-supported.
>
> That a product is in Beta means that the vendor has a distinctly
> open-door policy on any bug reports regarding the software. Beta == Bugs.
> No surprise there. ...Yet when a product is no longer supported, issuing
> a DoS exploit against it isn't only yesterday's news...it's slapping the
> jellied *remains* of a dead horse.
If the vulnerability is serious (e.g. can get root access -- DoS only
affecting the product probably would not qualify), I see no problem with
reporting bugs in beta software. Some software stays in 0.x mode for years.
And just because a product is no longer supported doesn't mean it's not in
wide use. A lot of software becomes stable, goes into wide use, and then
there comes a time where there's no official maintainer, or the official
maintainer is unresponsive.
For instance, if someone found a glaring security hole in obtuse.com's
smtpd, which isn't being actively supported (I've contributed patches to
them and have never received any reply), I'd want to hear about it.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
