Re: recent disclosure debates

[Barney Wolff <barney () tp databus com>]

On Sun, Dec 15, 2002 at 07:49:02PM -0500, R. DuFresne wrote:
> I'm wondering why all the fingers are pointing so dramatically at ISS and
> why ISC has received little or no heat in the issue.  It appears in other
> postings through bugtraq that ISS and ISC worked together for at leat a
> month on the issues ISS released their advisory on and for which patches
> seem to be dated back to as ISC fixes to code.  From all the reading I've
> followed there was a coordinated effort that failed when it came time to
> make the patches available to the public, after members of BIND Forum were
> notified and given advance patches.  so, I'm wondering why ISS gotso much
> bad press on this issue and ISC remained unscathed for the most part.

Because, as I understand the events, ISS and ISC agreed in advance on
a date for the patches to be available, but when the date came ISS
released the vulnerability without checking that the patches were in
fact available.  So for lack of a few minutes effort a nasty situation
was allowed to develop.  I'd welcome correction by anybody from ISS or
ISC who actually knows what happened.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards