Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Operating Systems Security, "Microsoft Security, baby steps"
From: Florian Weimer <fw () deneb enyo de>
Date: Thu, 18 Mar 2004 10:31:36 +0100

Todd Burroughs wrote:

I know that other major software companies use OpenSSL in their products;
the "free/open source" software community responds very quickly, much
faster than any commercial vendor (I noticed that Cisco released
a patch).  This is proof, same day fix vs. fix in a few months.

openssl (0.9.6c-2.woody.5) stable-security; urgency=high

  * Non-maintainer upload by the Security Team
  * Apply upstream patch to fix NULL pointer dereference in
    do_change_cipher_spec (CAN-2004-0079)

 -- Matt Zimmerman <mdz () debian org>  Fri, 27 Feb 2004 09:16:45 -0800

This can hardly be considered a "same day fix".

We don't even know how many weeks this bug was in circulation in the
vendor community before that date.

Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com,
libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz,
tiscali.it, voila.fr, wanadoo.fr, yahoo.com.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]