SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
ge at linuxbox.org
Sat Mar 25 02:59:47 UTC 2006
Michael.Dillon at btradianz.com wrote:
>>I wonder how many other unreported silently-patched
>>vulnerabilities are out there?
> You seem to be inferring that it is a bad thing to silently
> patch bugs which may have security implications. The OpenBSD
Full disclosure, we believe in it.
> team makes a habit of auditing software for flaws and fixing
> them without waiting to find out whether they create actual
> security vulnerabilities. They consider this to be a GOOD thing.
It is a good thing.
> I think that people who use software also consider it to
> be good for software flaws to be fixed as quickly as possible.
> Inevitably, this means that if the DEVELOPERS discover a
> flaw, they will fix it before they tell anyone about it. The
> reason that security researchers publish bulletins about
> security flaws is because they are unable to fix them
> either due to lack of skill, or more commonly, they just
> don't have permission to commit changes to the source code.
> Network operators are users of software and not developers,
> therefore most network operators are happy when flaws are
> fixed early and often.
I wonder if the same network operators will be happy about potentially
millions of compromised sendmail servers globally.
More information about the NANOG