Re: FWD: Squirrelmail XSS + SQL security bug?
Hi all. Sorry for my late response. I'm on vacation. Comments inline.
On Thu, 22 Jul 2004 20:28:23 +0200 (CEST), you wrote:
>About security fixes in the SquirrelMail code; SquirrelMail does not (contrary to Roman's standpoint) adhere to a obscurity-policy but in stead openly discloses any security fix in our code. In the changelog and in the announcement of the recent 1.4.3 release it's clearly stated that this closes a security hole. If the Debian project wants to we can of course notify them if we patch something but it is principally their responsibility to monitor our lists, announcements and bugtraq.
I practically agree but I think SquirrelMail's site should have a
"security" section where security announcements could be placed. I
don't like to mix a changelog (which is usually more
development-oriented) with security advisories. In the later anyone
could easily check which version is or not vulnerable to a given or
several bugs in a clear way. Thus I don't consider a changelog to be
sufficient to be considered as "open disclose" compliant. Also, in SM
web version 1.4.3 was announced as security fix in the news section
(which is good), but again news are being rotated and sooner or later
the announcement will disappear (and you're mixing news of different
nature with security stuff). This was (and is) my standpoint.
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]