SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)

Michael.Dillon at Michael.Dillon at
Fri Mar 24 09:59:47 UTC 2006

> I wonder how many other unreported silently-patched
> vulnerabilities are out there?

You seem to be inferring that it is a bad thing to silently
patch bugs which may have security implications. The OpenBSD
team makes a habit of auditing software for flaws and fixing
them without waiting to find out whether they create actual
security vulnerabilities. They consider this to be a GOOD thing.

I think that people who use software also consider it to
be good for software flaws to be fixed as quickly as possible.
Inevitably, this means that if the DEVELOPERS discover a 
flaw, they will fix it before they tell anyone about it. The
reason that security researchers publish bulletins about
security flaws is because they are unable to fix them 
either due to lack of skill, or more commonly, they just 
don't have permission to commit changes to the source code.

Network operators are users of software and not developers,
therefore most network operators are happy when flaws are
fixed early and often.

--Michael Dillon

More information about the NANOG mailing list