Am Samstag, 28. Januar 2006 16:33 schrieb Eric A. Meyer: > At 5:15 AM +0100 1/28/06, Jochen Kaechelin wrote: > >The only thing I want to tell the people on the list is that there might > > be some subscribers who use a mailsystem with a vulnability. > > That's a laudable intent. Here's how I think it would have been > better handled: > > * Get in touch with the administrators of the vulnerable host and > help them to fix the problem in private, before anyone malicious has > a chance to take advantage of the problem. > * Mail, off-list, all of the addresses you can find in the > archives from the affected host, warning them of the problem. You > could also try mailing the css-d administrator address to ask that we > pass a message along to all affected accounts in the subscriber > database. > > The problem now is that, given the way you posted about this, you've > potentially exposed a server vulnerability to the whole world, > because all list messages are publicly archived. Maybe that won't > make any difference, but maybe it will. > Ordinarily, I'd have sent this reply off-list, but I decided it > was better to respond publicly and establish guidelines for the > future. I don't want to be a roadblock to improving security, but I > also don't want to see security warnings on the list. It's just the > wrong venue, and there are (as I said above) other ways to handle > such situations.
Ok, but I have a different opinion in handling such things!!! I informed the responsable people about 12 hours ago and I did not get a response so far! They behave like microsoft! They know about the problems - sometimes for years and did not try to solve it. I'am sure that the responsable people would not react when I send them a "private" mail. Perhaps they react when a lot of people know about it!!! What about pages like securityfocus ..... Why do they publish security holes? And everyone can read it and try a exploit! Are these guys bad? Isn't it your intention to run a save system?? ______________________________________________________________________ css-discuss [EMAIL PROTECTED] http://www.css-discuss.org/mailman/listinfo/css-d List wiki/FAQ -- http://css-discuss.incutio.com/ Supported by evolt.org -- http://www.evolt.org/help_support_evolt/