Jim == Jim Popovitch [EMAIL PROTECTED] writes:
Jim BTW, just who are the members of mailman-security?
It's a self-selecting group, though not a terribly secret one; I
believe the membership of that list has been described, if not
explicitly listed, in the past. But I know Barry well enough
At 10:11 PM -0500 2006-01-29, Jim Popovitch quoted Stephen J. Turnbull:
And if three people ask on mailman-security? There's a short post to
mailman-users, and it ends up in the faq, because it's a PITA for the
developers to keep answering it.
What's wrong with that?
Nothing,
At 10:14 PM -0500 2006-01-29, Jim Popovitch wrote:
Well, I disagree with the current procedure, which based on past emails,
suggests that no one is kept informed about security concerns, and only
those that hear about one on their own can get a private response by
emailing
Jim == Jim Popovitch [EMAIL PROTECTED] writes:
Jim Stephen J. Turnbull wrote:
Oh, if you prefer windstorms, hurricane is a bad analogy. Far
more accurate is tornado.0.1 wink
Jim Hurricane is the most accurate analogy, because with
Jim hurricanes nobody knows about them
Brad Knowles wrote:
At 2:11 PM -0500 2006-01-28, Jim Popovitch wrote:
The whole reason for me waxing so passionately on this thread is the
earlier suggestion that Diana shouldn't have even emailed mailman-users,
but rather mailman-security and kept it quiet thereafter (this after it
was
At 4:10 PM -0500 2006-01-29, Jim Popovitch wrote:
But, Diana wasn't emailing sensitive info. She was asking a very
important question about something that was already public. You then
told her that she should have gone to the secret-handshake club. Are
you suggesting that all Hey, has
If we insist that everyone follow the proper procedure every
time, then we shouldn't have any problems. But if you can't (or
won't) follow the proper procedures, then I think it's perfectly
reasonable to ask that you go somewhere else.
THANK you, Brad!!
I think all Admins/Owners have same
Jim == Jim Popovitch [EMAIL PROTECTED] writes:
Jim She was asking a very important question about something that
Jim was already public.
What important question? It's an easy to execute exploit (in fact, it
occasionally happens due to ordinary mail, that's why it was found and
fixed
Stephen J. Turnbull wrote:
Jim == Jim Popovitch [EMAIL PROTECTED] writes:
Jim She was asking a very important question about something that
Jim was already public.
What important question?
I quote Diana from her original email that sparked this thread:
The notice suggests all versions
Brad Knowles wrote:
If we insist that everyone follow the proper procedure every time,
then we shouldn't have any problems.
Well, I disagree with the current procedure, which based on past emails,
suggests that no one is kept informed about security concerns, and only
those that hear about
At 12:43 AM -0500 2006-01-28, Jim Popovitch wrote:
No. What I am suggesting/recommending is this: If the developers know
on Monday of some super secret issue, and presumably they won't have a
robust fully-tested solution until Friday, I want them to tell me in
no-detail to alert me to
Brad Knowles wrote:
But on Monday, they may not know how long it will take them to
create a patch. It might turn out to be a simple matter that can be
fixed by Tuesday morning, or it might be complex and take weeks or months.
But when they make that initial announcement, assuming
At 10:31 AM -0500 2006-01-28, Jim Popovitch wrote:
But when they make that initial announcement, assuming no one else
has posted something to some other mailing list, they're basically firing
the starter's pistol for the blackhats to race to locate the bug and
start exploiting it
At 9:05 PM -0500 2006-01-26, Jim Popovitch wrote:
Fortunately, in this case it is a known issue (which others have
apparently decided to portray in a very different way), and which has
already been addressed (as described by Tokio).
OK, but what about the next one? What do Mailman
Brad Knowles wrote:
There is a QA process that such patches need to go through, even if
we're talking about a bug that is being currently being exploited widely.
In fact, the more it's being exploited, and the more dangerous it
is, I think the more testing needs to be done to
At 1:00 AM -0500 2006-01-27, Jim Popovitch wrote:
I'm pretty sure that the
insiders fix their systems first, then tell the rest of us about the
patch, probably at the last minute possible.
The insiders here are people like Barry, Tokio,
Jim == Jim Popovitch [EMAIL PROTECTED] writes:
Jim I guess we just see system administration from different
Jim angles, I prefer communication to silence.
Of course. So does everybody. Specifically, so do the crackers.
Jim Barry/Tokio/Mark: Folks, yesterday we were informed of a
Stephen J. Turnbull wrote:
5. Security patches are asynchronous, like earthquakes, they happen
when they happen.
Very bad analogy. Hurricanes would be better. There is plenty of
potential for user-base warning before a patch is to be released.
If the patch comes out on Friday at 4:45, I
At 3:41 PM -0500 2006-01-27, Jim Popovitch wrote:
5. Security patches are asynchronous, like earthquakes, they happen
when they happen.
Very bad analogy. Hurricanes would be better. There is plenty of
potential for user-base warning before a patch is to be released.
No,
Brad Knowles wrote:
At 3:41 PM -0500 2006-01-27, Jim Popovitch wrote:
5. Security patches are asynchronous, like earthquakes, they happen
when they happen.
Very bad analogy. Hurricanes would be better. There is plenty of
potential for user-base warning before a patch is to be
Jim Popovitch wrote:
Brad Knowles wrote:
At 3:41 PM -0500 2006-01-27, Jim Popovitch wrote:
5. Security patches are asynchronous, like earthquakes, they happen
when they happen.
Very bad analogy. Hurricanes would be better. There is plenty of
potential for user-base warning before a
Jim == Jim Popovitch [EMAIL PROTECTED] writes:
Jim Stephen J. Turnbull wrote:
5. Security patches are asynchronous, like earthquakes, they
happen when they happen.
Jim Very bad analogy. Hurricanes would be better. There is
Jim plenty of potential for user-base warning
Stephen J. Turnbull wrote:
Jim == Jim Popovitch [EMAIL PROTECTED] writes:
Oh, if you prefer windstorms, hurricane is a bad analogy. Far more
accurate is tornado.0.1 wink
Hurricane is the most accurate analogy, because with hurricanes nobody
knows about them until the NWS (at least here in
http://www.securityfocus.com/bid/16248/discuss
GNU Mailman Large Date Data Denial Of Service Vulnerability
GNU Mailman is prone to a denial of service attack. This issue affects the
email date parsing functionality of Mailman.
The vulnerability could be triggered by mailing list posts and will
At 1:05 PM -0500 2006-01-26, Diana Orrick wrote:
http://www.securityfocus.com/bid/16248/discuss
GNU Mailman Large Date Data Denial Of Service Vulnerability
GNU Mailman is prone to a denial of service attack. This issue affects the
email date parsing functionality of Mailman.
The
Brad Knowles wrote:
All security-related questions should be handled in accordance
with FAQ 1.27, see
http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp.
OK, that makes some sense to keep it hush-hush for a while. HOWEVER,
what is the process for notifying Mailman
Hi,
Diana Orrick wrote:
http://www.securityfocus.com/bid/16248/discuss
GNU Mailman Large Date Data Denial Of Service Vulnerability
GNU Mailman is prone to a denial of service attack. This issue affects the
email date parsing functionality of Mailman.
The vulnerability could be
Thank you for your prompt response and suggestion!
~~~
Diana Mayer Orrick email: [EMAIL PROTECTED]
University Computing Services ph: (850) 644-2591
Florida State University fax: (850) 644-8722
Tokio Kikuchi wrote:
[snip]
This is the mechanism of Denial of Service.
Thank you Tokio for the very detailed info.
Therefore, the site administrator should check the qfiles/shunt
directory and the logs/error file periodically.
Brad Knowls' Daily Status Report should help in this
At 4:40 PM -0500 2006-01-26, Jim Popovitch wrote:
http://sourceforge.net/tracker/index.php?func=detailaid=1123383group_id=103atid=300103
Excellent addition to Mailman. I presume this will wind up in the
distribution one day?
There is a slightly older version of the script which
At 3:28 PM -0500 2006-01-26, Jim Popovitch wrote:
OK, that makes some sense to keep it hush-hush for a while. HOWEVER, what
is the process for notifying Mailman admins of temporary workarounds for
this and any other situation? I honestly don't want to wait for an
official patch if there
Brad Knowles wrote:
At 3:28 PM -0500 2006-01-26, Jim Popovitch wrote:
OK, that makes some sense to keep it hush-hush for a while. HOWEVER,
what
is the process for notifying Mailman admins of temporary workarounds for
this and any other situation? I honestly don't want to wait for an
At 5:53 PM -0500 2006-01-26, Jim Popovitch wrote:
Fair enough. I would like to find a way for myself (and other Mailman
admins) to be in that appropriate place. This doesn't mean all Mailman
users, perhaps their should be a pre-screened
[EMAIL PROTECTED] list.
IMO, this is the
Brad Knowles wrote:
Fortunately, in this case it is a known issue (which others have
apparently decided to portray in a very different way), and which has
already been addressed (as described by Tokio).
OK, but what about the next one? What do Mailman system admins do, wait?
-Jim P.
Jim Popovitch wrote:
OK, but what about the next one? What do Mailman system admins do, wait?
Yes, I think so. The alternative is everyone goes off half-cocked and
you have a situation such as occurred about a year ago with the
CAN-2005-0202 issue http://www.list.org/security.html. In this
Mark Sapiro wrote:
Jim Popovitch wrote:
OK, but what about the next one? What do Mailman system admins do, wait?
Yes, I think so. The alternative is everyone goes off half-cocked and
you have a situation such as occurred about a year ago with the
CAN-2005-0202 issue
36 matches
Mail list logo
