BugTraq
SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 23 2006 09:41AM
Gadi Evron (ge linuxbox org) (5 replies)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 24 2006 04:27AM
Eric Allman eric+bugtraq (at) neophilic (dot) com [email concealed] (eric+bugtraq neophilic com) (1 replies)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 24 2006 06:03PM
Gadi Evron (ge linuxbox org)
On Thu, 23 Mar 2006, Eric Allman wrote:

<snip mostly relevant good replies by Mr. Allman>

> Talk to the vendors. I've seen quite a few of their advisories come
> by.

After or before it hit the news? You may be able to alert vendors, but
the problem with critical infrastructure is that is widely deployed around
the world. Releasing the way you did is irresponsible.

You can do non-disclosure for a while or full disclosure, you can't do
both.

> > Commentary

== personal opinion

> Yes, that's true. If it's exploitable and people don't update, then
> those people who choose to ignore the problem will be vulnerable.
> You could say that about every vulnerability that has ever existed.

Indeed. And yet blaming the user is not how you solve the problem, is it?
The Internet being insecure is a give, do you blame the Internet for
telnet not being secure, or do you create SSH?

How long before enough Sendmail servers globally are patched?

> > A mounth!
>
> Are you suggesting that it would have been better for us to have
> released the problem without giving vendors any time at all to get it
> integrated? I think that would be seriously irresponsible.

I agree, my point is that if you release, do it as soon as you can as you
ARE critical infrastructure. If you want to let vendors get something
done, wait a whole lot longer than a month.

Gadi.

[ reply ]
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 24 2006 03:08AM
Claus Assmann ca+bugtraq (at) zardoc.endmail (dot) org [email concealed] (ca+bugtraq zardoc endmail org) (2 replies)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 24 2006 05:56PM
Gadi Evron (ge linuxbox org) (1 replies)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 25 2006 08:47AM
Todd Burroughs (fd parsec net)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 24 2006 05:39PM
Theo de Raadt (deraadt cvs openbsd org)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 24 2006 02:52AM
Theo de Raadt (deraadt cvs openbsd org) (2 replies)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 24 2006 05:53PM
Gadi Evron (ge linuxbox org) (2 replies)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 25 2006 09:51AM
Casper Dik Sun COM
RE: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 24 2006 11:31PM
Michael A Fusaro II (maf mafii com)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 24 2006 03:13PM
Martin Schulze (joey infodrom org) (1 replies)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 24 2006 10:17PM
Theo de Raadt (deraadt cvs openbsd org) (4 replies)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 25 2006 11:12PM
Florian Weimer (fw deneb enyo de) (1 replies)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 28 2006 07:36AM
Casper Dik Sun COM
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 25 2006 08:12AM
Pim van Riezen (pi madscience nl)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 25 2006 03:16AM
Gadi Evron (ge linuxbox org) (1 replies)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 26 2006 04:12PM
Geo. (geoincidents nls net)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 25 2006 12:33AM
D.F.Russell (DFRussell spamcop net) (1 replies)
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 25 2006 09:54PM
Kurt Seifried (bt seifried org)
Re: [Full-disclosure] SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 23 2006 08:13PM
Dragos Ruiu (dr kyx net) (1 replies)
Re: [Full-disclosure] SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mar 24 2006 05:44PM
Gadi Evron (ge linuxbox org)
trusting SMTP [was: SendGate: Sendmail Multiple Vulnerabilities] Mar 23 2006 09:59AM
Gadi Evron (ge linuxbox org) (1 replies)
Re: [Full-disclosure] trusting SMTP [was: SendGate: Sendmail Multiple Vulnerabilities] Mar 24 2006 10:13AM
Valdis Kletnieks vt edu (1 replies)
Re: [Full-disclosure] trusting SMTP [was: SendGate: Sendmail Multiple Vulnerabilities] Mar 24 2006 05:50PM
Gadi Evron (ge linuxbox org)


 

Privacy Statement
Copyright 2010, SecurityFocus