Bugtraq mailing list archives

Re: ISS Apache Advisory Response

From: Kee Hinckley <nazgul () somewhere com>
Date: Fri, 21 Jun 2002 15:25:29 -0400

At 6:06 PM -0400 6/20/02, Klaus, Chris (ISSAtlanta) wrote:

In the case of this advisory, ISS X-Force provided an Apache patch and did
not see a need for a long quiet period.

I do not believe that there are any circumstances in which anon-vendor provided patch can be considered equivalent to a quietperiod. The belief that you can just issue a patch and consider theproblem solved shows a complete lack of understanding for thesoftware development process. Review, testing, and QA are all partof that process--a third party patch is no substitute for those. Andno security researcher can claim to have a better understanding ofthe ramifications of a problem than the vendor. This behavior alsocompletely ignores the fact that even for Open Source software thereis an issue of binary-only distributors who need to be given aheads-up.

Due to the general nature of open-source and its openness, the virtual
organizations behind the projects do not have an ability to enforce strict
confidentiality.  By notifying the open source project, its nature is that
the information is quickly spread in the wild disregarding any type of quiet
period.  ISS X-Force minimizes the quiet period and delay of protecting
customers by providing a security patch.

You're kidding, right? "We had to make it public because we didn'ttrust the vendor to keep it secret"? I expected an apology fromyou--not a an attempt to justify your behavior. Some people justdon't know how to say, "Oops, I was wrong."

I see absolutely no reason that notification of open-source projectsshould follow rules any different than those for closed-sourceprojects. The only time you should issue a patch without priornotification is if there is no known maintainer for the software--andeven then it would be wise to run the patch by other people who usethe software first. ISS's behavior here has been completelyirresponsible, and has potential to seriously damage the reputationof the Apache software. And as one of the thousands of systemadministrators currently scrambling to update multiple servers onmultiple platforms scattered on hosting providers around the world, Isincerely hope that ISS will retract this new definition of "quietperiod" that they have invented.

--

Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

Current thread:

ISS Apache Advisory Response Klaus, Chris (ISSAtlanta) (Jun 21)
- Re: ISS Apache Advisory Response Kee Hinckley (Jun 21)
- Re: ISS Apache Advisory Response Thomas Reinke (Jun 21)
- Re: ISS Apache Advisory Response Kevin Spett (Jun 21)
  - Re: ISS Apache Advisory Response Kevin Spett (Jun 22)
- Re: ISS Apache Advisory Response Mike Eldridge (Jun 21)
- Re: ISS Apache Advisory Response Security Admin (Jun 24)
- <Possible follow-ups>
- Re: ISS Apache Advisory Response dminor (Jun 22)