I think he hit the nail on the head!!! Every sysadmin around knows that every product is basically insecure if configured incorrectly, and is used at our own risk. That doesn't excuse behavior of releasing the bug 8 hours after informing the apache team. How possible is it that a large amount of sysadmin's might have not had a chance to check their email that day??, or maybe they don't subscribe to buqtraq but only to ibm's, redhat's, or whatever vendors mailing list. By the time they had been cracked it could have been another 12 hours before they recieved any notice from the vendor containing a fix. Case in point, Theo of OpenBSD/OpenSSH, sent an email saying that there is a problem with OpenSSH, I'm not telling what it is, here is what you can do to work around it, and here is the url to get the latest verstion that mitigates the danger. And he still waited a couple of days before saying what was wrong. Granted it was his product released on his schedule, but that doesn't matter in this case. Wise up dumbass.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/91/13348#13348