[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Final pass on BOF issues for -01
Vulnerabilities published at CERT are ONLY published
when the vendor announces to CERT (usually after they have released a tested
patch).
As a BARE minimum vendors MUST provide equipment that does not
have any well know vulnerabilities (where well known can be defined as CERT
published).
Case in point: Buy an xp or windows 2k system this week and you will almost
certainly get one that
has the dcom vulnerabilty. I know 3 of my friends have had me come clean
their brand new computer:-)
How can the vendors fix that? Provide cd's or at least instructions
to the stores selling the product.
If !(got packets) then (headers_will_have_2_do == 1)
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC
> -----Original Message-----
> From: Florian Weimer [mailto:fw@deneb.enyo.de]
> Sent: Tuesday, August 26, 2003 11:52 AM
> To: Budd, Fred
> Cc: opsec@ops.ietf.org
> Subject: Re: Final pass on BOF issues for -01
>
>
> "Budd, Fred" <Fred.Budd@wiltel.com> writes:
>
> > If the language is left in, I'd prefer the following change:
> > Vendors MUST provide fixes for e.g. CERT exploits
>
> CERT/CC doesn't publish exploits.
>
> > for all systems supported at the time the exploit is discovered.
>
> Vendors aren't psychic, usually there isn't a fix if a vulnerability
> is discovered by external testing.
>
> I'd think it's better to omit this area in the document. It's still
> subject to discussion how security bugs in widely deployd networking
> gear should be handled.
>