[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Final pass on BOF issues for -01

To: "Budd, Fred" <Fred.Budd@wiltel.com>
Subject: Re: Final pass on BOF issues for -01
From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 26 Aug 2003 19:51:30 +0200
Cc: <opsec@ops.ietf.org>
In-reply-to: <EC0BF05B9ABDCD4FB1439B1B9F591BAA113A33@EXCHANGE2.ad.wcg.com> (FredBudd's message of "Tue, 19 Aug 2003 12:12:41 -0500")
References: <EC0BF05B9ABDCD4FB1439B1B9F591BAA113A33@EXCHANGE2.ad.wcg.com>
User-agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (gnu/linux)

"Budd, Fred" <Fred.Budd@wiltel.com> writes:

> If the language is left in, I'd prefer the following change:
> Vendors MUST provide fixes for e.g. CERT exploits

CERT/CC doesn't publish exploits.

> for all systems supported at the time the exploit is discovered.

Vendors aren't psychic, usually there isn't a fix if a vulnerability
is discovered by external testing.

I'd think it's better to omit this area in the document.  It's still
subject to discussion how security bugs in widely deployd networking
gear should be handled.

Follow-Ups:
- Re: Final pass on BOF issues for -01
  - From: George Jones <gmj@pobox.com>

References:
- RE: Final pass on BOF issues for -01
  - From: "Budd, Fred" <Fred.Budd@wiltel.com>

Prev by Date: Re: Citing ANSI docs
Next by Date: RE: Final pass on BOF issues for -01
Previous by thread: Well known vulnerabilities (was RE: Final pass on BOF issues for-01)
Next by thread: Re: Final pass on BOF issues for -01
Index(es):
- Date
- Thread