OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Vulnerability
From: Dan Harkless (dan-bugtraqDILVISH.SPEED.NET)
Date: Thu Aug 31 2000 - 19:50:08 CDT

"Jay D. Dyson" <jdysonTREACHERY.NET> writes:
> I don't typically do this, but I feel I must question the validity
> (and even the value) of issuing a DoS advisory on products that are either
> in Beta or no-longer-supported.
>
> That a product is in Beta means that the vendor has a distinctly
> open-door policy on any bug reports regarding the software. Beta == Bugs.
> No surprise there. ...Yet when a product is no longer supported, issuing
> a DoS exploit against it isn't only yesterday's news...it's slapping the
> jellied *remains* of a dead horse.

If the vulnerability is serious (e.g. can get root access -- DoS only
affecting the product probably would not qualify), I see no problem with
reporting bugs in beta software. Some software stays in 0.x mode for years.

And just because a product is no longer supported doesn't mean it's not in
wide use. A lot of software becomes stable, goes into wide use, and then
there comes a time where there's no official maintainer, or the official
maintainer is unresponsive.

For instance, if someone found a glaring security hole in obtuse.com's
smtpd, which isn't being actively supported (I've contributed patches to
them and have never received any reply), I'd want to hear about it.

----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraqdilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.