Yesterday, I made a posting that was out of line and non-constructive. I'm going to try to rectify that. I'm not against people reporting security holes (or posting information on the specifics of the vulnerability, up to and including the method of the attack). If I implied that, it was my error. I have been informed that this list exists to serve users who have become disenchanted with CERT and "the establishment," and hence the readership values _immediate_ disclosure of _all_ security-related problems, and I have no complaint about that, either. My problem is that the posting to the list was not also sent to Cygnus. Instead, we satisfied another 64 download requests in the time between the posting to BUGTRAQ and notification by a BUGTRAQ reader to Cygnus, some 17 hours after the original posting was made. Within 30 minutes of (delayed) notification, we verified the problem, shut down our distribution, and began to fix the problem. The problem was fixed 2 hours later, and we spent 6 hours last night and another 4 this morning hours verifying the fix for the platforms we support. We expect to have the fixed software available for ftp within the next few hours. Our start->finish response is expected to be about 19 hours. The reason it didn't happen faster: we were notified just before the end of our business day. Had we been notified _concurrently_ with the BUGTRAQ posting, we'd have fixed the problem yesterday, and we would not have distributed buggy software to 64 additional people. Modulo relativity, I realize that time applies to all of us equally, and that notifying Cygnus before the public cannot "undo" damage that's been done. OTOH, by not notifying Cygnus promptly, we continued to do damage without knowledge of the fact. That is what really upset me yesterday. Peace (I hope), M
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:29 PDT