Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability

From: Jedi/Sector One <j () pureftpd org>
Date: Wed, 17 Sep 2003 13:39:35 +0200
On Wed, Sep 17, 2003 at 10:20:43AM +0100, Matt Collins wrote:

From: Matt Collins <matt () clues com>
It isnt particularly useful for a cross platform research/discussion list
to be flooded with 7 software release announcements for the same bug,
though. 


  It makes clear that these distros actually care about security.
  
  If I am looking for a secure hardware router or an operating system, I'll
first consider those that are tracking general security-related
mailing-lists and that are posting their advisories there.

  It is obvious that the OpenSSH vuln affects more hardware vendors that
just Cisco. Or more OS/distros than those that posted here. But how to know
if these other vendors actually fixed the flaw? Maybe the patches are only
announced on a mailing-list that only already-existing customers can be
aware of. People who have to make decisions won't spent time digging for
those lists.

  Various vendors posting to Bugtraq and FD are a good thing IMHO. It's just
like replies to a broadcast icmp echo request. Vendors that keep answering
with reasonnable latency can be trusted. Vendors that only replies to their
private network can't be fully trusted by other people. Vendors that don't
answer can't be trusted at all.

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j () 42-Networks Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: