[16572] in bugtraq
Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634
daemon@ATHENA.MIT.EDU (van der Kooij, Hugo)
Tue Sep 5 12:16:09 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10009050852240.19273-100000@bastion.hugo.vanderkooij.org>
Date: Tue, 5 Sep 2000 09:00:00 +0200
Reply-To: Hugo.van.der.Kooij@CAIW.NL
From: "van der Kooij, Hugo" <Hugo.van.der.Kooij@CAIW.NL>
X-To: Jim Duncan <jnduncan@CISCO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200009050457.AAA13941@rtp-msg-core-1.cisco.com>
On Tue, 5 Sep 2000, Jim Duncan wrote:
> Vulnerability Help writes:
....
> > [...]
> > The net result here is that Linux vendors were aware this problem existed
> > in *other* non Linux UNIX distributions. In particular they were aware of
> > the fact that Solaris was vulnerable, yet advisories were released
> > regardless of this. It is a given that people who understand that the
> > Local Subsystem is cross platform (this is essentially anyone who reads
> > Bugtraq..) would realize that this problem would affect more than just
> > Linux distributions. As a result of no attempt to work amongst the Linux
> > vendors with other vendors a series of OS's are now unprotected to a very
> > serious, very wide spread bug.
>
> That's not true; the FIRST maintains a method for competing vendors to
> share sensitive information like this and to coordinate public
> announcements regarding vulnerabilities. There have been major events
> in the past in which the Unix vendors that were members of FIRST at the
> time (http://www.first.org/team-info/) were brought together by one of
> the Unix vendors, advised of the vulnerability, worked out a schedule,
> and then fixed the problem. When they were ready, they published all
> at the same time.
The issue involved is time vs manpower vs risk
If a vunerabilty exists that is remotely exploitable then every vendor is
required to throw in resources to fix it asap. For some vendors this is
fixed in minutes or hours while others need weeks to perform the same.
Should vendors that fixed them in hours wait several weeks on those
vendors that need weeks and leave their customers vunerable?
Whil I think it is good that vendors keep in touch and try to help each
other out they should not wait too long to release the fixes and their
advisories.
If some vendors fall behind due to their lack of resources then they need
to rethink about their resource management. They should not hold back
because some vendors are too slow.
Hugo.
--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland
hvdkooij@caiw.nl http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)
