possible rsync validation dos vuln

Barry Greene bgreene at senki.org
Fri Oct 29 12:15:43 UTC 2021

> On Oct 29, 2021, at 5:26 PM, Nick Hilliard <nick at foobar.org> wrote:
> Because this didn't happen, we now get to look forward to a weekend of elevated risk, followed by people upending their calendars to handle un-coordinated upgrades on monday morning.

That only happens if the team has the time to get the fix into the code, tested, validated, regressed, and deployed. I would say this is a classic example of “ego” to publish overruling established principles.

The University of Twente should explore requiring classes for responsible disclosure.

NCSC, it seems you threw out your own policy:

"The NCSC will try to resolve the security problem that you have reported in a system within 60 days. Once the problem has been resolved, we will decide in consultation whether and how details will be published.”

I would have expected you to council the researchers on responsible disclosure principles.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20211029/738f9182/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20211029/738f9182/attachment.sig>

More information about the NANOG mailing list