Re: sendmail vuln advisories (CVE-2006-0058)

[Michal Zalewski <lcamtuf () dione ids pl>]

On Wed, 22 Mar 2006, Marc Bejarano wrote:

> a security vulnerability [...] certain versions [...] under some
> specific timing conditions [...] a specifically crafted attack [...]
> when specific conditions [...] within certain operating system
> architectures [...] certain timing conditions [...] theoretical
> vulnerability [...] specific email payload [...] specific network
> programming skills [...] very specific conditions.

As with many advisories released these days, this announcement contains
almost no vulnerability information other than repetitive, vague mentions
of a "very specific" threat, and a notification that a nondescript patch
is available.

So be it - although I do not subscribe to responsible (limited and overly
delayed) disclosure policies (because they greatly benefit the vendor -
the party at fault - and limit the acceptable behavior of the researcher;
and because they effectively stop independent research into, validation
of, and fixing of, existing flaws)... but OK, this approach is favored by
all the powers to be, no point in starting a flame war.

But isn't it hilarious that this particular advisory is not from a closed
source vendor; but rather, for an open source product - and diffs are
available on the net?

So what's the point of maintaining this writing style, other than making
folks who have legitimate uses for a more detailed information feel
miserable?

/mz