HomeCritical Sendmail Flaw, update/patch now

Reply to comment

Tue, 03/04/2003 - 14:09 — atrox (not verified)

Re: Critical Sendmail Flaw, update/patch now

Well I guess I dont have the answers to everyones issues, but I would say publish it as soon as you know about it, patch ready or not. Thats the way open source security works, thats what makes it work (IMHO).

For example, what if someone else had discovered the flaw on December 10th, someone less reputable than ISS? If the warning had come out as soon as it was known about then sendmail could have been disabled, or conifigured differently or whatever to avoid the exploit.

I know this is a hotly debated topic by my vote is publish it when we know it exists, patch or not, no matter who you are.

And again I am not faulting ISS, I think the way they handled the previous Apache issue was correct and I think that on this one the Homeland Security Department got involved and that probably accounts for the delay (and several million of our tax dollars, for the same functions that ISS was doing fine on its own before, ISS and others, CERT, etc).

Reply

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <img> <a> <em> <strong> <cite> <code> <ul> <ol> <hr> <li> <dl> <dt> <dd> <pre> <b> <h1> <h2> <h3> <blockquote>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
9 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.