Re: SN 4.0 huge security hole

[tiemann () CYGNUS COM (Michael Tiemann)]

Your message has been received, understood, and a technical fix has been
implemented and is being tested.  We have disabled ftp downloads of
SN-Lite for all platforms, and have already formulated a fix.  We are
contacting CERT to post a proper advisory and fix.

I would ask that in the future, you follow proper security notification
protocol, which is to attempt to contact the vendor with such problems
first, so that immediate action can be taken to resolve the problem
before widely exposing the vulnerability.  You should reserve public
exposure for the rare cases that the vendor ignores your warning.  As it
is, you have probably induced several enterprising crackers to attempt
to exploit this vulnerability in the few hours it will take us to
re-spin all the software, and thus you are the one who would be liable
for any mis-use of this bug.

Please direct your followups to myself, not the lists that I have ack'd
your message to.  Thanks,

Michael Tiemann