if barry DID know, and hadn't done the disclosure himself, doing it without his approval was wrong, because Barry likely had a reason why he hadn't mentioned it yet.
Either way, something like this should have been left to the project developers (i.e. barry) to disclose.
Some of the mailman team knew about this (I did), and it's been actively worked on. One reason it wsan't announced here before was because the problem was in very limited distribution publically, and putting it on THIS list before the formal patches are ready is a great way to teach everyone who didn't come up with the attack what it is, while mailman sites don't have a patch to solve it. Before, only a few people knew about it (including, obviously, some blackhats). now, lots of folks do. That makes life worse, not better, for lots of us.
And, FWIW, there are still some questions about who exactly is vulnerable and who isn't, because not everyone can reproduce the problem -- it seems to tie into multiple factors, nad it'd be nice if we knew who really had to worry...
but for now, everyone has to, since it was brought forward before everything was ready.
On Feb 9, 2005, at 12:08 PM, Ron Brogden wrote:
Hello Brad. I was under the impression that the Mailman team already knew
about this issue which is why I didn't go through the above procedure.
------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
