[Mailman-Users] any info on this reported exploit?

[Brad Knowles]

At 10:31 AM -0500 2006-01-28, Jim Popovitch wrote:

>>      But when they make that initial announcement, assuming no one else
>>  has posted something to some other mailing list, they're basically firing
>>  the starter's pistol for the blackhats to race to locate the bug and
>>  start exploiting it before a patch can be issued.
>
>  But now, you really don't know that, do you?

	Sure we do.  Some blackhats will already know, but there will be 
others that don't -- and who would never know until the first 
official announcement goes out.

	No matter what, that first official announcement increases the 
exposure of the security weakness.  That is an unescapable universal 
truth.

>  OK, that's fair.  But do you think they need to hold off entirely up until
>  the point they have a patch pushed to *.dl.sf.net?

	It depends on the nature of the weakness in question, and the 
circumstances under which the patch was developed.  I would say that 
waiting a longer period may be appropriate in some circumstances, and 
undesirable in others.

>  Listen, nobody expects Tokio to be perfect.  If people hadn't started
>  making some noise most of us wouldn't know there is a pending patch.

	Actually, you're wrong.  There is no patch.  There is an upgrade, 
which was created a while ago -- The bug in question was fixed along 
with a number of other issues.

	So far as I know, this work was done without knowledge of the 
so-called DoS warning, so there was never any intention of creating a 
patch to resolve a problem which was already fixed.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.