Bugtraq mailing list archives
Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634
From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>
Date: Tue, 5 Sep 2000 09:00:00 +0200
On Tue, 5 Sep 2000, Jim Duncan wrote:
Vulnerability Help writes:
....
[...] The net result here is that Linux vendors were aware this problem existed in *other* non Linux UNIX distributions. In particular they were aware of the fact that Solaris was vulnerable, yet advisories were released regardless of this. It is a given that people who understand that the Local Subsystem is cross platform (this is essentially anyone who reads Bugtraq..) would realize that this problem would affect more than just Linux distributions. As a result of no attempt to work amongst the Linux vendors with other vendors a series of OS's are now unprotected to a very serious, very wide spread bug.That's not true; the FIRST maintains a method for competing vendors to share sensitive information like this and to coordinate public announcements regarding vulnerabilities. There have been major events in the past in which the Unix vendors that were members of FIRST at the time (http://www.first.org/team-info/) were brought together by one of the Unix vendors, advised of the vulnerability, worked out a schedule, and then fixed the problem. When they were ready, they published all at the same time.
The issue involved is time vs manpower vs risk If a vunerabilty exists that is remotely exploitable then every vendor is required to throw in resources to fix it asap. For some vendors this is fixed in minutes or hours while others need weeks to perform the same. Should vendors that fixed them in hours wait several weeks on those vendors that need weeks and leave their customers vunerable? Whil I think it is good that vendors keep in touch and try to help each other out they should not wait too long to release the fixes and their advisories. If some vendors fall behind due to their lack of resources then they need to rethink about their resource management. They should not hold back because some vendors are too slow. Hugo. -- Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland hvdkooij () caiw nl http://home.kabelfoon.nl/~hvdkooij/ -------------------------------------------------------------- Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)
Current thread:
- FORCED RELEASE NOTES - CORE-090400 - BID 1634 Vulnerability Help (Sep 04)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Warner Losh (Sep 04)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Peter Barker (Sep 05)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Martin Sheppard (Sep 05)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Jim Duncan (Sep 04)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 van der Kooij, Hugo (Sep 05)
- <Possible follow-ups>
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Blue Boar (Sep 05)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Warner Losh (Sep 04)