nanog mailing list archives
Re: possible rsync validation dos vuln
From: Nick Hilliard <nick () foobar org>
Date: Fri, 29 Oct 2021 13:36:54 +0100
Barry Greene wrote on 29/10/2021 13:15:
That only happens if the team has the time to get the fix into the code, tested, validated, regressed, and deployed. I would say this is a classic example of “ego” to publish overruling established principles.The University of Twente should explore requiring classes for responsible disclosure.NCSC, it seems you threw out your own policy:"The NCSC will try to resolve the security problem that you have reported in a system within 60 days. Once the problem has been resolved, we will decide in consultation whether and how details will be published.”I would have expected you to council the researchers on responsible disclosure principles.
Indeed + also manage the vendor disclosure process in a more comprehensive / structured way.
An interesting and worthwhile outcome here would be a presentation on how the set of inputs into the sausage factory produced the mess that's going to be served for lunch on monday. I.e. let's use this as an opportunity to learn from the mistakes that were made here.
Nick
Current thread:
- possible rsync validation dos vuln Randy Bush (Oct 28)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)
- Re: possible rsync validation dos vuln Randy Bush (Oct 29)
- Re: possible rsync validation dos vuln Barry Greene (Oct 29)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)
- Re: possible rsync validation dos vuln Randy Bush (Oct 29)
- RE: possible rsync validation dos vuln Jean St-Laurent via NANOG (Oct 29)
- RE: possible rsync validation dos vuln Collider (Oct 29)
- Re: possible rsync validation dos vuln Niels Bakker (Oct 29)
- RE: possible rsync validation dos vuln Jean St-Laurent via NANOG (Oct 29)
- Re: possible rsync validation dos vuln Nick Hilliard (Oct 29)