At 5:15 AM +0100 1/28/06, Jochen Kaechelin wrote:
>The only thing I want to tell the people on the list is that there might be
>some subscribers who use a mailsystem with a vulnability.
That's a laudable intent. Here's how I think it would have been
better handled:
* Get in touch with the administrators of the vulnerable host and
help them to fix the problem in private, before anyone malicious has
a chance to take advantage of the problem.
* Mail, off-list, all of the addresses you can find in the
archives from the affected host, warning them of the problem. You
could also try mailing the css-d administrator address to ask that we
pass a message along to all affected accounts in the subscriber
database.
The problem now is that, given the way you posted about this, you've
potentially exposed a server vulnerability to the whole world,
because all list messages are publicly archived. Maybe that won't
make any difference, but maybe it will.
Ordinarily, I'd have sent this reply off-list, but I decided it
was better to respond publicly and establish guidelines for the
future. I don't want to be a roadblock to improving security, but I
also don't want to see security warnings on the list. It's just the
wrong venue, and there are (as I said above) other ways to handle
such situations.
--
Eric A. Meyer (http://meyerweb.com/eric/), List Chaperone
"CSS is much too interesting and elegant to be not taken seriously."
-- Martina Kosloff (http://mako4css.com/)
______________________________________________________________________
css-discuss [EMAIL PROTECTED]
http://www.css-discuss.org/mailman/listinfo/css-d
List wiki/FAQ -- http://css-discuss.incutio.com/
Supported by evolt.org -- http://www.evolt.org/help_support_evolt/
