RE: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability

From: Brown, Rodrick (rbrown_at_doitt.nyc.gov)
Date: 09/17/03

  • Next message: Jedi/Sector One: "Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability" 
    To: "Matt Collins" <matt@clues.com>, <kernelclue@hushmail.com>
Date: Wed, 17 Sep 2003 07:31:24 -0400

    I tend to agree with the author the vendor spamming is getting ridiclous 90% of there users dont even read securitylists, and its very redundant and silly to have 6 to 10 vendors spam mailinglists with patches to a exploited application we have been discussing for months.
     
    I dont see why most moderators dont ban emails like this, if your users want to be notified of new patches they should join security@vendor.com

    ________________________________

    From: full-disclosure-admin@lists.netsys.com on behalf of Matt Collins
    Sent: Wed 9/17/2003 5:20 AM
    To: kernelclue@hushmail.com
    Cc: full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability

    On Tue, Sep 16, 2003 at 02:08:48PM -0700, kernelclue@hushmail.com wrote:
    > OpenSSH runs on a number of platforms, Windows included. To say this
    > reflects on GNU/Linux or any Linux distro is just nonsense.

    He wasn't. He was suggesting the utility of bug-discussion lists is
    reduced by having the same bug reported multiple times by every
    vendor out there. It wasnt anything to do with the OpenSSH issue.

    I tend to agree - if you want redhat patches subscribe to their security
    mailing list. If redhat find a new bug, they of course
    should post it to bugtraq, full disclosure, or their communications medium
    of choice.

    It isnt particularly useful for a cross platform research/discussion list
    to be flooded with 7 software release announcements for the same bug,
    though. Even if there is an argument that a central clearing house for
    patch releases is a useful thing, splitting out 'initial notification'
    (this bug exists in funny_mail) from 'patch release' (vendors 1 2 3
    4 ... 1000 have a patch for their packaged version of funny_mail!)
    makes both lists more readable and more useful.

    Such a gain in utility might even increase contribution; if instead of
    having to dedicate hours to 'eyeballing' out the repeated messages with
    no new information beyond a URL for download of a particular precompiled
    patch the list became more useful 'raw' information, it would become
    much easier to regularly partake of it.

    YMMV of course.

    Matt

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Jedi/Sector One: "Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability"

    Relevant Pages

    • Re: [PATCH v21 001/100] eclone (1/11): Factor out code to allocate pidmap page
      ... on subdividing the patches I'd be happy to try them. ... patches for review but rarely received outside feedback on patches ... We tried that earlier and received complaints that lists ... Do you realize how much mail traffic you generate by posting so many ...
      (Linux-Kernel)
    • Re: Spreadsheet of all MS security patches
      ... > I'm trying to compile lists of various patches I need to ... > apply for different customer systems I administer. ... > patches evaluating them is getting overwhelming. ... protecting his/her 1000+ MS servers using the results of a single tool. ...
      (microsoft.public.security)
    • Re: new FreeBSD-webpage
      ... > Ports) disappeared from the front page. ... Please provide patches for the CSS if the fixed width stuff bothers ... I fix it by adding lots of news items whenever I can think of one. ... been made within hours of them first being brought up on the lists. ...
      (freebsd-stable)
    • Re: Comparing lists of patches
      ... >>What it does is, it keeps a list of patches that were on the system, and ... >>then basically computes a Cartesian crossproduct between the two lists. ... fgrep seems to be the answer. ... Dump both lists of patches to temp files, ...
      (comp.sys.sun.admin)
    • Re: [BUG?] 2.6.25-rc[23]-mm1 cgroup list corruption under load with VM Scalability patches
      ... I can't say for sure that our patches aren't causing this, ... splitlru+noreclaim patches to hit the problem. ... I looked in the mailing lists and found one other thread related to ... load on my 16 cpu ia64 platform. ...
      (Linux-Kernel)