Bugtraq mailing list archives

Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634

From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>
Date: Tue, 5 Sep 2000 09:00:00 +0200

On Tue, 5 Sep 2000, Jim Duncan wrote:

Vulnerability Help writes:


....

[...]
The net result here is that Linux vendors were aware this problem existed
in *other* non Linux UNIX distributions. In particular they were aware of
the fact that Solaris was vulnerable, yet advisories were released
regardless of this. It is a given that people who understand that the
Local Subsystem is cross platform (this is essentially anyone who reads
Bugtraq..) would realize that this problem would affect more than just
Linux distributions. As a result of no attempt to work amongst the Linux
vendors with other vendors a series of OS's are now unprotected to a very
serious, very wide spread bug.


That's not true; the FIRST maintains a method for competing vendors to
share sensitive information like this and to coordinate public
announcements regarding vulnerabilities.  There have been major events
in the past in which the Unix vendors that were members of FIRST at the
time (http://www.first.org/team-info/) were brought together by one of
the Unix vendors, advised of the vulnerability, worked out a schedule,
and then fixed the problem.  When they were ready, they published all
at the same time.


The issue involved is time vs manpower vs risk

If a vunerabilty exists that is remotely exploitable then every vendor is
required to throw in resources to fix it asap. For some vendors this is
fixed in minutes or hours while others need weeks to perform the same.

Should vendors that fixed them in hours wait several weeks on those
vendors that need weeks and leave their customers vunerable?

Whil I think it is good that vendors keep in touch and try to help each
other out they should not wait too long to release the fixes and their
advisories.

If some vendors fall behind due to their lack of resources then they need
to rethink about their resource management. They should not hold back
because some vendors are too slow.

Hugo.

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)

Current thread:

FORCED RELEASE NOTES - CORE-090400 - BID 1634 Vulnerability Help (Sep 04)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Warner Losh (Sep 04)
  - Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Peter Barker (Sep 05)
  - Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Martin Sheppard (Sep 05)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Jim Duncan (Sep 04)
  - Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 van der Kooij, Hugo (Sep 05)
- <Possible follow-ups>
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Blue Boar (Sep 05)