[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)

From: brian j. pardy
Subject: Re: lynx-dev Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)
Date: Fri, 30 Oct 1998 08:18:31 -0800 (PST)

On Thu, 29 Oct 1998, David Woolley wrote:

> > It's only common courtesy to report these things to the developers before
> > a public list.
> > 
> Lynx-dev is a public list.

Of course.

> What many on lynx-dev may not realise is that what he is reporting are
> methods of taking control of the machine running Lynx from the web site.
> As such there is an argument that when you go public you hit as many
> people concerned with security as possible, otherwise there is a risk
> that the hackers hear the reports but the protectors don't.

Still, it makes sense to me to report things to the vendor/maintainer of
a piece of software so that a patch can be released at the same time the
bug is. I personally expect quite a for more 'black hats' read BUGTRAQ
than lynx-dev. 

I don't think one should always wait for the vendor/maintainer to come
up with a patch before public release of a bug, but they should be given
a reasonable time period (a couple days or so).

> These are potentially serious security flaws, not just crashes in weird
> cases.


(But I digress off-topic, the 'notify vendor first' thread has been beat
to the ground so much on Bugtraq already that it is rarely allowed anymore)

GPG & PGP public keys: <URL:> 
PGP fingerprint: 42 57 B3 D2 39 8E 74 C3  5E 4D AC 43 25 D2 26 D4

unix soit qui mal y pense

reply via email to

[Prev in Thread] Current Thread [Next in Thread]