[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Service [was: QPOP Vulnerability - Again]
- Subject: Re: [cobalt-security] Service [was: QPOP Vulnerability - Again]
- From: Jeff Lovell <jlovell@xxxxxxxxxx>
- Date: Wed, 19 Jul 2000 18:23:42 -0700
- Organization: Cobalt Networks, Inc.
Chris Adams wrote:
> Well, that is not what the ISC says. They also list other security
> problems with 8.2.1 at:
>
> http://www.isc.org/products/BIND/bind-security-19991108.html
>
> It is the ISC's position that anything before 8.2.2-P3 has security
> problems (8.2.2-P5 fixes some bugs as well).
Oops, I got those numbers backwards. The version on RaQ2 is 8.1.2,
not 8.2.1. There are some DoS attacks against anything older than
8.2.2-Px, and they are on my radar to get fixed as soon as I can.
On the bright side, this version is not vulnerable to the exploit.
> I think a major frustration with Cobalt is that there doesn't seem to be
> any relationship with the users of the product. Cobalt provides these
> lists as unofficial places where we can have discussions, but there is
> virtually no Cobalt representation on the lists.
We are trying to remedy this. I feel your frustration in this aspect,
and I agree with you that it needs to be remedied. I have discussed
this issue with quite a few people here, and I think I have finally
gotten it to the right ears. I would expect to see some changes in
the future, details are yet to be worked out.
> You and a couple of
> others pop in here every once in a while, answer a few things, then pop
> back out again. I understand that people are busy, and that this is not
> an official support area, but developing a good relationship with your
> customers should be a priority.
Again, I agree with you. If I spent the time in the lists I would
never get anything else done. Not to mention the signal-to-noise
ratio at times becomes unbearable. ;)
> I have been on other unofficial lists
> provided by manufacturers, and there was a presence by the company on
> their list. Let your customers know what is going on, and they will
> feel better. If there is a problem and it is going to take a month to
> fix it, tell us. When you don't, there is a feeling that Cobalt is not
> listening and that no fix will ever be produced.
I cannot apologize enough for this. There is no excuse that can be
made. Can you guys offer some suggestions of better ways we can
keep you in the loop as far as updates and patches are concerned?
A weekly newsletter that talks about the issues that have arouse?
I will do my best to monitor the lists a little better until we can
have a more elegant system in place. I obviously can't respond to
all the email but I will work harder to provide a 'better Cobalt
presence' on the lists.
Please send suggestions directly to me on better ways we can help
serve the community.
Jeff Lovell
Cobalt Networks, Inc.