nanog mailing list archives
Re: possible rsync validation dos vuln
From: Barry Greene <bgreene () senki org>
Date: Fri, 29 Oct 2021 20:15:43 +0800
On Oct 29, 2021, at 5:26 PM, Nick Hilliard <nick () foobar org> wrote: Because this didn't happen, we now get to look forward to a weekend of elevated risk, followed by people upending their calendars to handle un-coordinated upgrades on monday morning.
That only happens if the team has the time to get the fix into the code, tested, validated, regressed, and deployed. I would say this is a classic example of “ego” to publish overruling established principles. The University of Twente should explore requiring classes for responsible disclosure. NCSC, it seems you threw out your own policy: "The NCSC will try to resolve the security problem that you have reported in a system within 60 days. Once the problem has been resolved, we will decide in consultation whether and how details will be published.” I would have expected you to council the researchers on responsible disclosure principles.
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- possible rsync validation dos vuln Randy Bush (Oct 28)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)
- Re: possible rsync validation dos vuln Randy Bush (Oct 29)
- Re: possible rsync validation dos vuln Barry Greene (Oct 29)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)
- Re: possible rsync validation dos vuln Randy Bush (Oct 29)
- RE: possible rsync validation dos vuln Jean St-Laurent via NANOG (Oct 29)
- RE: possible rsync validation dos vuln Collider (Oct 29)
- Re: possible rsync validation dos vuln Niels Bakker (Oct 29)
- RE: possible rsync validation dos vuln Jean St-Laurent via NANOG (Oct 29)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)