Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability

[Cory Donnelly <lists2 () onryou com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt Zimmerman wrote:
> Such vendors/developers are doing a their users and the community a
> disservice.  Proper public disclosure of vulnerabilities requires very
> little effort on their part; there is no good reason to conceal
> information this way.  There is no need to contact every downstream
> vendor directly; they monitor the usual channels.

- From the shortsighted developer's perspective there are *plenty* of very
compelling reasons to discreetly fix vulnerabilities.

A developer may be wary of losing his/her job should management learn of
the gaff.

A developer's pride may prevent him/her from notifying the appropriate
folks in his/her organization.

A developer may not realize the seriousness of a vulnerability (or may
fix it accidentally).

Management may pressure the developer to keep the changelog positive,
using the argument that all documentation associated with their software
must go through the PR department.

Obviously the world would be a better place if these disclosures were
made (and made consistently), but there are plenty of good reasons
(depending on perspective) to keep quiet about bug fixes.

Regardless, we've strayed off-topic -- Roman's original point about how
backporting security patches to debian-stable only works when
debian-stable backporters are aware of vulnerabilities is absolutely
correct.

take care,

Cory
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAvcb+okBdAgPGOhURAsr6AKC9Tii2d3A1YxE+YEH49UULnTjywQCfdYnF
9ZpToiNm++VzwFH8IvLNBDw=
=/P6/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html