From jmb@FRB.GOV Mon Jul 1 01:39:13 1996 Received: from newfed.FRB.GOV (newfed.frb.gov [198.3.221.5]) by suburbia.net (8.7.4/Proff-950810) with SMTP id BAA18013 for ; Mon, 1 Jul 1996 01:39:10 +1000 Received: from FRB.GOV by newfed.FRB.GOV (4.1/SMI-4.0) id AA02311; Sun, 30 Jun 96 11:39:29 EDT Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA28212; Sun, 30 Jun 96 11:38:32 EDT Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.6.12/8.6.12) with SMTP id LAA15220; Sun, 30 Jun 1996 11:36:21 -0400 Message-Id: <199606301536.LAA15220@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: Host localhost.frb.gov didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: "Rob J. Nauta" Cc: BUGTRAQ@NETSPACE.ORG, linux-security@tarsier.cv.nrao.edu, ichudov@algebra.com, jlewis@inorganic5.chem.ufl.edu, best-of-security@suburbia.net Subject: Re: BoS: Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability In-Reply-To: Your message of "Sun, 30 Jun 1996 11:54:01 +0200." <199606300954.LAA02300@brasaap.iaehv.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 30 Jun 1996 11:36:21 -0400 From: "Jonathan M. Bresler" >PERL news. This just shows 1) CERT alerts aren't that bad, by reading >it I reproduced an exploit in minutes 2) security lists aren't everything, CERT sends out a notice as soon as the vendor agrees. Larry Wall fixed the code quickly, tested and prepared patches. the issue is not CERT, the issue is CERT's policy of waiting for the vendor regardless of how long the vendor takes to produce a fix. (hours? days? weeks? .....) its the unlimited waiting period that tweaks people. jmb -- Jonathan M. Bresler 202-452-2831 breslerj@frb.gov MS-169 Federal Reserve Board of Governors Washington DC 20551 Speaking for myself. Others speak for the Federal Reserve Board of Governors