SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)

• Previous message (by thread): SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
• Next message (by thread): SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 23 Mar 2006 03:41:52 -0600 (CST), Gadi Evron <ge at linuxbox.org>
wrote:


> It took Sendmail a mounth to fix this. A mounth.
> 
> A mounth!
> 
> With such Vendor Responsibility, perhaps it is indeed a Good Thing to go
> Full Disclosure. It seems like history is repeating itself and Full
> Disclosure is once again not only a choice, but necessary to make vendors
> become responsible.
> 

Given the scope of the changes you describe -- you wrote "Sendmail.com's
patch is so big they may as well have re-released the whole program."
-- I can't get upset at taking a month to fix it.  You're dealing with
asynchronous events, which are really hard to start with.  I suspect
that they spent some time deciding how to fix it -- you don't appear
thrilled with their choice, but I don't know what other options they
considered -- and then actually tested the new code.  Given how many of
our security problems are due to buggy and inadequately-tested code, I
suspect that taking a month was actually being quite responsible.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

• Previous message (by thread): SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
• Next message (by thread): SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]