[Mailman-Users] any info on this reported exploit?

Brad Knowles brad at stop.mail-abuse.org
Sat Jan 28 11:11:37 CET 2006 

At 12:43 AM -0500 2006-01-28, Jim Popovitch wrote:

>  No.  What I am suggesting/recommending is this:  If the developers know
>  on Monday of some super secret issue, and presumably they won't have a
>  robust fully-tested solution until Friday, I want them to tell me in
>  no-detail to alert me to be prepared for a Friday emergency patch.  How
>  is that risky?

	But on Monday, they may not know how long it will take them to 
create a patch.  It might turn out to be a simple matter that can be 
fixed by Tuesday morning, or it might be complex and take weeks or 
months.

	But when they make that initial announcement, assuming no one 
else has posted something to some other mailing list, they're 
basically firing the starter's pistol for the blackhats to race to 
locate the bug and start exploiting it before a patch can be issued.

	I think they need to hold off a little while longer on making 
that initial announcement, at least until they know enough about the 
problem to have a good idea how long it's going to take to create the 
patch, how widespread the problem is, what the overall risk is, 
etc....


	In the case of the most recent issue, Tokio apparently felt that 
it was a reasonably low-risk item and he fixed the bug (along with a 
number of other problems) during the normal release cycle.  It wasn't 
until others came along and decided to call this a potential DoS 
attack that people like you started screaming.

>  You mis-characterize (yet again?) what I am saying. I am not advocating
>  for the developers to work more, or differently.  I am only asking for a
>  "heads up", not a last minute announcement.

	I don't think a last minute announcement is a good idea, but then 
I also don't think it's a good idea to run around like Chicken Little 
screaming that the sky is falling every time something comes up and 
before we've had enough time to look into the issue, gauge the 
potential risk and how many people might be affected, and have a 
decent idea of how long it's going to take to create a patch.

	I think we need to compromise somewhere in the middle, and I 
think we have to trust the Mailman developers to do that.

>  My thoughts exactly.  I trust them to do the work and produce a fix.
>  Again, all I am advocating is that if they are spending 6 days on a fix,
>  don't wait until the 7th day to fill us in.  Let us know up front that
>  they are working a possible fix that may need to be applied.  Where's
>  the harm in that?

	In most cases, when you're developing a fix for some bug, you may 
know that you've spent six days so far on the problem, but you may 
not have much of an idea of how much longer it's going to take you.

	If you make the seven day announcement one day into a problem 
that actually takes you a month, explain to me how this is a good 
thing?

>  Again, you mis-understand my interests.  I don't want info on the hack,
>  I want a "heads-up" that <unidentified> fix is in the pipe and sysadmins
>  can expect it late Friday (or whenever).  Again, how is that so egregious?

	And I think you misunderstand the development process.  Many 
times you don't know how long it's going to take you until you've 
done it.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.

More information about the Mailman-Users mailing list