Dave Sill <de5@de5.CTD.ORNL.GOV> writes:
# Thanks for the explanation. It would have helped if the message sent
# to majordomo-workers explained the plans to repost it later on
# majordomo-users. Even better would have been to post an announcement
# to majordomo-users saying something like:
#
# "A bug has been discovered (and is being actively exploited) that
# lets people run commands as the user that Majordomo runs under.
# Patches for 1.62 and 1.90 are being tested and a full announcement
# will be posted within 24 hours. It might be prudent to disable
# Majordomo by [some simple method] pending availability of the
# patch."
#
# That would have let us know what the risk was, what was being done
# about it, and how to protect ourselves without disclosing the nature
# of the bug itself.
Yes, I agree. All I can do is plead exhaustion and jetlag. I got
about 3 hours of sleep Monday night, then spent all day on a plane to
Boston (for the USENIX conference) then another few hours working on
this problem with John Rouillard here in Boston last night.
-Brent
--
Brent Chapman | Great Circle Associates | Call or email for info about
Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security
+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates
|
|
