Re: [fw-wiz] recent disclosure debates

From: Barney Wolff (barney@tp.databus.com)
Date: 12/15/02

• Next message: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Previous message: R. DuFresne: "[fw-wiz] recent disclosure debates"
• In reply to: R. DuFresne: "[fw-wiz] recent disclosure debates"
• Next in thread: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Reply: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Barney Wolff <barney@tp.databus.com>
To: "R. DuFresne" <dufresne@sysinfo.com>
Date: Sun Dec 15 21:13:00 2002

On Sun, Dec 15, 2002 at 07:49:02PM -0500, R. DuFresne wrote:
>
> I'm wondering why all the fingers are pointing so dramatically at ISS and
> why ISC has received little or no heat in the issue. It appears in other
> postings through bugtraq that ISS and ISC worked together for at leat a
> month on the issues ISS released their advisory on and for which patches
> seem to be dated back to as ISC fixes to code. From all the reading I've
> followed there was a coordinated effort that failed when it came time to
> make the patches available to the public, after members of BIND Forum were
> notified and given advance patches. so, I'm wondering why ISS gotso much
> bad press on this issue and ISC remained unscathed for the most part.

Because, as I understand the events, ISS and ISC agreed in advance on
a date for the patches to be available, but when the date came ISS
released the vulnerability without checking that the patches were in
fact available. So for lack of a few minutes effort a nasty situation
was allowed to develop. I'd welcome correction by anybody from ISS or
ISC who actually knows what happened.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

• Next message: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Previous message: R. DuFresne: "[fw-wiz] recent disclosure debates"
• In reply to: R. DuFresne: "[fw-wiz] recent disclosure debates"
• Next in thread: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Reply: R. DuFresne: "Re: [fw-wiz] recent disclosure debates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] recent disclosure debates ... | By ISS' admission at the time, no 3rd party exploit code seemed to exist. ... the vendors who re-distribute ISC code didn't get enough time. ... when they told the vendor about the problem, ... being too close-mouthed about vulnerability information. ... (Firewall-Wizards) Re: [fw-wiz] recent disclosure debates ... [Once again, this is my personal opinion, and not the position of ... By ISS' admission at the time, no 3rd party exploit code seemed to exist. ... If it's worth it for ISS to not just let ISC give them credit, ... > their free software to get people to buy into a consortia. ... (Firewall-Wizards) Re: [fw-wiz] recent disclosure debates ... bind 8 info update regarding ISS ... vulnerabilities in popular services. ... ISC BIND organization. ... (Firewall-Wizards) Re: [fw-wiz] recent disclosure debates ... If ISC actually refused to ... | release the patches until after the notice, one would think ISS would ... I think it's a bad one for a maker of free software. ... (Firewall-Wizards) bind 8 info update regarding ISS ... vulnerabilities in popular services. ... that have audited the source code of Bind, SSH, etc ... and overlooked the discrepencies that ISS picks up on. ... ISC BIND organization. ... (Bugtraq)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint