Full Disclosure mailing list archives
Silent Fixes (was GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution)
From: Leif Sawyer <lsawyer () gci com>
Date: Wed, 18 Feb 2004 11:40:57 -0900
gabriel rosenkoetter writes:
Oh, give me a break. Some developer went, "Oh, hey, I'm not bounds checking there. Okay, fix that," and the changes filtered out into the release of IE. [... blah blah ...] Hell, do we expect Linux or NetBSD [ to tell us about every buffer overflow they fix? ]
Uh. Methinks you don't read the linux kernel mailing list, do you? Yes, every freaking buffer overflow they fix is discussed. In fact, nearly every change made to the kernel is discussed at some point. And it's all documented as to whom the person was what inserted the code in the first place, and who fixed it. Responsible? Check. Open? Check. The way it _should_ be? Check. Caveat: I don't subscribe to any BSD lists, but I can infer that they have a similar process in place. Silent fixes suck. The only thing they do is prevent the user from making an informed decision about how to deal with them. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Silent Fixes (was GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution) Leif Sawyer (Feb 18)
- Re: Silent Fixes (was GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution) Anders B Jansson (Feb 18)
- Re: Silent Fixes (was GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution) Michal Zalewski (Feb 18)
- Re: Silent Fixes (was GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution) gabriel rosenkoetter (Feb 18)