Subject: Re: What to do about unfixed vulnerabilities?
To: Steven M. Bellovin <smb@research.att.com>
From: Matthew Orgass <darkstar@pgh.net>
List: tech-security
Date: 10/23/2000 19:57:30
  by mail.netbsd.org with SMTP; 23 Oct 2000 23:57:36 -0000
	by doit.pgh.net (8.9.0/8.9.0/PGH.NET-02) with SMTP id TAA21857;
	Mon, 23 Oct 2000 19:57:30 -0400 (EDT)
Date: Mon, 23 Oct 2000 19:57:30 -0400 (EDT)
From: Matthew Orgass <darkstar@pgh.net>
Reply-To: Matthew Orgass <darkstar@pgh.net>
To: "Steven M. Bellovin" <smb@research.att.com>
cc: tech-pkg@netbsd.org, tech-security@netbsd.org
Subject: Re: What to do about unfixed vulnerabilities? 
In-Reply-To: <20001023190349.614DF35DC2@smb.research.att.com>
Message-ID: <Pine.BSI.3.96.1001023192246.18894A-100000@doit.pgh.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 23 Oct 2000, Steven M. Bellovin wrote:

> More to the point, the general thrust of the comment -- that any 
> program with that many uses of known-dangerous functions -- is unlikely 
> to be correct applies on any host.

  Further, warning only about a denial of service attack when there is a
known remote exploit is very misleading.  Pine builds should be disabled
until there is some reason to believe that it is safe to use (as the
comment says, not likely anytime soon). The security notice should say
"don't use pine" and refer to http://www.securityfocus.com/bid/1709 as
well as the comment.

  I'll confess that I'm writing this from pine, not having had the chance
to review alternatives yet.  Does anyone know of a mail client that is
close in feel to pine to refer those of us who like pine but don't really
want to give the world a key to our system? 

Matthew Orgass
darkstar@pgh.net