Lars Troen wrote: > Micheal, > Full disclosure is good, but it's pretty standard procedure to contact > the developer directly first and issue the vulnerability report to the > public when a fix is ready. Even if this vulnerability was not rated > critical I still think you should have followed this procedure. As this > issue was discussed on this list yesterday(!) under a subject that > didn't make it obvious, you can't expect Fritz to have issued a fix by > today. Fritz never commented that thread and you can't always expect a > fix to be ready in 1 day (even if we have a fix ready now).
I hear you, but it wasn't newly discovered - but I agree; in hind-sight I should have waited to hear a proper response from Fritz. In my defense, there is no 'in-house' notification method to alert users of security issues. I'm not sure what you are inferring, as I had no such expectations of any kind of anyone - and I don't mean that in a negative way. Fritz, I hope you didn't take any of this the wrong way. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
