Cyrus IMAPd 2.2.13p1 & 2.3.15 Released
Dave McMurtrie
dave64 at andrew.cmu.edu
Sat Sep 19 13:39:43 EDT 2009
Henrique de Moraes Holschuh wrote:
>> Which I'm afraid was my fault for saying "it's already been
>> committed to CVS, so it's out there" to them. Sorry about
>> that. *sigh*.
>
I already spoke with Bron off-list at great length about this. There's
really no need for any apology on his part. We greatly appreciate the
work that Bron puts into Cyrus imapd.
> The problem is not that you told us we could release, you *were* correct in
> doing so: the problem was already as good as published to the whole world by
> the public cvs commit.
>
> The problem is that CERT, for whatever reason, tried to embargo something
> that was already semi-public, and to make the matters worse, the correct
> people were not told about it in a timely manner.
Fair enough. The next time an issue like this comes up, I think the
first thing we can do better on our side is to not commit the fix to CVS
immediately.
When you say that CERT did not contact the correct people, can you be
more specific? Feel free to respond off-list if you feel that's
necessary. I have no problem getting back in touch with CERT to provide
updated contact information for them.
As far as this not having been handled in a timely manner, I don't think
that's a fair criticism. This bug has existed in the code since Oct 22,
2003. Bron reported it to us on 09/02/2009. I reported it to CERT on
the evening of 09/02/2009. CERT responded back to me on 09/03/2009 with
a plan to contact Cyrus vendors immediately and make an announcement on
09/10/2009 -- a total of 3 business days for any US vendors since it was
a holiday weekend.
If you have any additional suggestions on how to better handle security
issues in the future, please let me know.
Thanks,
Dave
More information about the Cyrus-devel
mailing list