> The exploit they have devised requires shell access to a Linux based
> host so _our_ server is OK ;-)
As are mine :)
> Seriously, as soon as anyone raises a security issue we fix it (like the
> force_suffix option added to 2.0.11). In other forums, "real" security
> concerned organisations have contacted us a couple of days prior to making
> a public statement so that we could give them details of a fix. BUGTRAQ
> doesn't work that way and I sometimes feel the list members often go out
> of their way to show personal "hacking ability" rather than to help solve
> a problem.
I get that feeling too. I read BugTraq daily. Most of the "exploits" are
academic and are reported to prove that someone can disassemble code. The
odds that someone would use these exploits are slim, even slimmer against
those of us who don't have anything anyone would want.
Not that the bugs shouldn't be fixed, but they should first be reported to
the vendor and the vendor should be given a chance to respond. I believe
this was BugTraq's policy in the past. Perhaps the members just stopped
following the list's rules.
Scot Bontrager darien@sailormoon.org
http://www.sailormoon.org/ scbontra@paranet.com
i can't even be bothered : energy just breaks me down
-------------------------------------------------------------------------
To unsubscribe, go to http://www.Hughes.com.au/extras/email/
This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 09:03:51 EST