RE: Anyone here read vuln-dev? from Robert Collins on 2000-10-29 (squid-dev)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Mon, 30 Oct 2000 08:55:57 +1100

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@hem.passagen.se]
> Sent: Monday, 30 October 2000 8:52 AM
> To: Robert Collins; squid-bugs@ircache.net
> Cc: squid-dev@squid-cache.org
> Subject: Re: Anyone here read vuln-dev?
>
>
> Robert Collins wrote:
>
> > it's #&NNN; for the format -
>
> I know.. only tested if you were awake ;-) (heck, I have
> spent the last
> monts writing a specialized web server, and have had to deal
> with these
> issues and a horseload of related issues...)
>
> > 0-1F done. 127 & above done in the attached update html. c
> (and yes rfc1738
> > was a very handy inspiration :-]
>
> Ok. Will look into all the details shortly.
>
> > <WHINE MODE>Personally I think it would have been
> appropriate for the
> > "ideas" person to have let squid-dev know before dropping
> it on the world
> > via vuln-dev....
> > </WHINE MODE>
>
> Then wine on that person, not squid-dev ;-)

Of course:-]. See the end for more...

>
> However, there is an apparent lack of official indication of where to
> report security issues in Squid. IIRC then once in a while squid-bugs
> was documented as the place to send security bugs, but I
> cannot find any
> indication of where to send security bugs/issues today (if there ever
> has been).
>
> To cure this I propose that
>
> a) security@squid-cache.org is created and documented under
> "contacting
> us". For the time being should be a alias for the squid-bugs list to
> keep it in private and out of public archives.
>
> b) squid-dev is documented under "contacting us" as a way to reach the
> developers.
>
> c) The non-contact lists mentioned on "contacting us" is ripped out of
> there. It is sufficient if the page says that there are also public
> mailing lists and refer to the mailing list page.
>
> /Henrik
>

Sounds good to me. On a related note should an announcement be made on
bugtraq (or similar lists) about the patch & the new contact details -
once a patch is incorporated (and available for all "supported"
versions?)

Rob
Received on Sun Oct 29 2000 - 14:57:31 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:53 MST