SCO Responds to security bugs (was: SCO UNIX C2 Security)

Casey Leedom casey at gauss.llnl.gov
Wed Feb 27 02:12:25 AEST 1991


| From: ronald at robobar.co.uk (Ronald S H Khoo)
| 
| | From: jpp at specialix.co.uk (John Pettitt) writes:
| | 
| | Before you ask - no I am not going to post the bug,
| 
| Why not?  You're not one of those ARRRGH SECURITY THRU OBSCURITY people
| are you, John? [[Ad homin attacks on John deleted.]]

  If SCO had learned about the bug and then not fixed it or told anyone
about it, then they could be accused of security through obscurity.
However, not broadcasting the exact method of making use of a security
hole when distributing a bug patch for that hole is both common practice
and good sense.  Keith Bostic does this for 4BSD security patches for
instance.  You don't want people who haven't had time to install the
security patches to get wiped out.  There may well even be grounds for
a negligence suit if a company did lay its customers open to assault this
way.

  I think you owe John an apology.  You should also probably cross your
fingers and hope you don't get sued by some SCO customer for your post if
it results in them suffering any losses.

Casey



More information about the Comp.unix.sysv386 mailing list