SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
ge at linuxbox.org
Sat Mar 25 02:36:43 UTC 2006
Steven M. Bellovin wrote:
> On Thu, 23 Mar 2006 03:41:52 -0600 (CST), Gadi Evron <ge at linuxbox.org>
>>It took Sendmail a mounth to fix this. A mounth.
>>With such Vendor Responsibility, perhaps it is indeed a Good Thing to go
>>Full Disclosure. It seems like history is repeating itself and Full
>>Disclosure is once again not only a choice, but necessary to make vendors
> Given the scope of the changes you describe -- you wrote "Sendmail.com's
> patch is so big they may as well have re-released the whole program."
> -- I can't get upset at taking a month to fix it. You're dealing with
> asynchronous events, which are really hard to start with. I suspect
> that they spent some time deciding how to fix it -- you don't appear
> thrilled with their choice, but I don't know what other options they
> considered -- and then actually tested the new code. Given how many of
> our security problems are due to buggy and inadequately-tested code, I
> suspect that taking a month was actually being quite responsible.
I'd usually agree, compared to a year and a half with Microsoft or 3
years with Oracle.
The point here, though, if that the patch was released almost with no
notification _to_the_security_community_ (bugtraq, fd, etc.). It was
obfuscated (open source, funny notion) and released. Exploits are
already out there.
When you are critical infrastructure, you have higher responsibility.
You either practice non-disclosure and patch your users over-time, then
disclose, or simply disclose. It depends on needs and/or how responsive
the vendor is.
One can't have it both ways, unfortunately.
More information about the NANOG