OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: What to do about unfixed vulnerabilities?
From: Paul Hoffman (phoffmanproper.com)
Date: Mon Oct 23 2000 - 20:24:45 CDT

At 7:57 PM -0400 10/23/00, Matthew Orgass wrote:
>On Mon, 23 Oct 2000, Steven M. Bellovin wrote:
>
>> More to the point, the general thrust of the comment -- that any
>> program with that many uses of known-dangerous functions -- is unlikely
>> to be correct applies on any host.
>
> Further, warning only about a denial of service attack when there is a
>known remote exploit is very misleading. Pine builds should be disabled
>until there is some reason to believe that it is safe to use (as the
>comment says, not likely anytime soon). The security notice should say
>"don't use pine" and refer to http://www.securityfocus.com/bid/1709 as
>well as the comment.

I disagree with the "don't use pine" part, because...

> I'll confess that I'm writing this from pine, not having had the chance
>to review alternatives yet. Does anyone know of a mail client that is
>close in feel to pine to refer those of us who like pine but don't really
>want to give the world a key to our system?

There is no character-based MUA that is nearly as standards-compliant
as pine. (Well, there are some that have many fewer features that are
more standards-compliant, but you can figure out why....)