Re: lynx-dev Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)

[brian j. pardy]

On Thu, 29 Oct 1998, David Woolley wrote:

> > It's only common courtesy to report these things to the developers before
> > a public list.
> > 
> 
> Lynx-dev is a public list.

Of course.

> What many on lynx-dev may not realise is that what he is reporting are
> methods of taking control of the machine running Lynx from the web site.
> As such there is an argument that when you go public you hit as many
> people concerned with security as possible, otherwise there is a risk
> that the hackers hear the reports but the protectors don't.

Still, it makes sense to me to report things to the vendor/maintainer of
a piece of software so that a patch can be released at the same time the
bug is. I personally expect quite a for more 'black hats' read BUGTRAQ
than lynx-dev. 

I don't think one should always wait for the vendor/maintainer to come
up with a patch before public release of a bug, but they should be given
a reasonable time period (a couple days or so).

> These are potentially serious security flaws, not just crashes in weird
> cases.

Right.

(But I digress off-topic, the 'notify vendor first' thread has been beat
to the ground so much on Bugtraq already that it is rarely allowed anymore)

-- 
GPG & PGP public keys: <URL:http://www.psnw.com/~posterkid/keys/> 
PGP fingerprint: 42 57 B3 D2 39 8E 74 C3  5E 4D AC 43 25 D2 26 D4

unix soit qui mal y pense