On Sun, Jul 27, 2008 at 3:10 PM, Jaime Magiera
<email@hidden> wrote:
> On Jul 25, 2008, at 8:30 PM, Chris Barker wrote:
>>
>> This email sent to email@hidden
>>
>> Submitted mine around the same time as yours (6103700), under security for
>> 10.4.11 server.
>>
>> Be interesting to see what their response time is on a friday afternoon.
>
> Hi,
>
> Interestingly enough, I got a response this morning (Sunday). Apparently,
> they are well aware of the problem, but ran into difficulties with the patch
> that rendered some BIND installations unusable. They are currently working
> out the issues and will have an update shortly. Fair enough. As I mentioned
> previously, when the truth comes out, we see the problem was not an issue of
> "elected", but one of unintended problems.
>
> I don't want to pick apart someone's words, particularly when they are not
> here to defend themselves, but there was one thing in the response that
> tweaked me the wrong way. Essentially, words to the effect of "It would be
> worse to break this functionality than to rush out a 'fix', especially since
> we have received no report of any actual exploit against our installed
> base." IMHO opinion, this is a security vulnerability whose remedy precludes
> known exploit attempts against the user base. I know that isn't what the
> Apple person meant literally, but it is likely indicative of a mindset that
> Apple needs to shake. Now that the vulnerability's details have been
> published from here to Timbuktu, we know that at least a marginal amount of
> script kiddies will attempt to exploit it. This fact puts the
> vulnerability's remedy in the category of "preventative measures".
>
> At any rate, I feel much better knowing that Apple is in fact attempting to
> remedy the situation. It is not off their radar so to speak.
>
> So, that's the scoop. Continue to have a great weekend,
>
> Jaime Magiera
>
> Sensory Research
> http://www.sensoryresearch.net
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/macos-x-server/email@hidden
>
> This email sent to email@hidden
>
That reply is just, well, WOW.
It would be nice if that is the state, that they make a statement as
such to the CERT team, so there is atleast something more than just
"no response" listed on the cert page.
I'll see what I get on my response.
--
Chris Barker
Purveyor of Fine Suggestions
ACSA
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
