SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)

Gadi Evron ge at
Sat Mar 25 02:59:47 UTC 2006

Michael.Dillon at wrote:
>>I wonder how many other unreported silently-patched
>>vulnerabilities are out there?
> You seem to be inferring that it is a bad thing to silently
> patch bugs which may have security implications. The OpenBSD

Full disclosure, we believe in it.

> team makes a habit of auditing software for flaws and fixing
> them without waiting to find out whether they create actual
> security vulnerabilities. They consider this to be a GOOD thing.

It is a good thing.

> I think that people who use software also consider it to
> be good for software flaws to be fixed as quickly as possible.
> Inevitably, this means that if the DEVELOPERS discover a 
> flaw, they will fix it before they tell anyone about it. The
> reason that security researchers publish bulletins about
> security flaws is because they are unable to fix them 
> either due to lack of skill, or more commonly, they just 
> don't have permission to commit changes to the source code.
> Network operators are users of software and not developers,
> therefore most network operators are happy when flaws are
> fixed early and often.

I wonder if the same network operators will be happy about potentially 
millions of compromised sendmail servers globally.

More information about the NANOG mailing list