[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability

To: "Matt Collins" <matt@xxxxxxxxx>, <kernelclue@xxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
From: "Brown, Rodrick" <rbrown@xxxxxxxxxxxxx>
Date: Wed, 17 Sep 2003 07:31:24 -0400

I tend to agree with the author the vendor spamming is getting ridiclous 90% of 
there users dont even read securitylists, and its very redundant and silly to 
have 6 to 10 vendors spam mailinglists with patches to a exploited application 
we have been discussing for months. 

I dont see why most moderators dont ban emails like this, if your users want to 
be notified of new patches they should join security@xxxxxxxxxx 

________________________________

From: full-disclosure-admin@xxxxxxxxxxxxxxxx on behalf of Matt Collins
Sent: Wed 9/17/2003 5:20 AM
To: kernelclue@xxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages 
fix potential vulnerability

On Tue, Sep 16, 2003 at 02:08:48PM -0700, kernelclue@xxxxxxxxxxxx wrote:
> OpenSSH runs on a number of platforms, Windows included.  To say this
> reflects on GNU/Linux or any Linux distro is just nonsense.

He wasn't. He was suggesting the utility of bug-discussion lists is
reduced by having the same bug reported multiple times by every
vendor out there. It wasnt anything to do with the OpenSSH issue.

I tend to agree - if you want redhat patches subscribe to their security
mailing list. If redhat find a new bug, they of course
should post it to bugtraq, full disclosure, or their communications medium
of choice.

It isnt particularly useful for a cross platform research/discussion list
to be flooded with 7 software release announcements for the same bug,
though. Even if there is an argument that a central clearing house for
patch releases is a useful thing, splitting out 'initial notification'
(this bug exists in funny_mail) from 'patch release' (vendors 1 2 3
4 ... 1000 have a patch for their packaged version of funny_mail!)
makes both lists more readable and more useful.

Such a gain in utility might even increase contribution; if instead of
having to dedicate hours to 'eyeballing' out the repeated messages with
no new information beyond a URL for download of a particular precompiled
patch the list became more useful 'raw' information, it would become
much easier to regularly partake of it.

YMMV of course.

Matt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
  - From: Len Rose
- Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
  - From: Valdis . Kletnieks
- RE: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
  - From: Bojan Zdrnja

Prev by Date: Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
Next by Date: Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
Previous by thread: Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
Next by thread: Re: [Full-Disclosure] Re: [RHSA-2003:279-01] Updated OpenSSH packages fix potential vulnerability
Index(es):
- Date
- Thread