[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FWD: Squirrelmail XSS + SQL security bug?

On Sat, 31 Jul 2004 21:53:25 -0700, you wrote:

>The Debian security team cannot monitor the mailing lists for every project
>in Debian: there are literally thousands.  We rely on channels which are
>explicitly devoted to the dissemination of security announcements (e.g.,
>BUGTRAQ), and communication through the Debian package maintainer (who
>should follow the relevant mailing lists for the project).
>I do not think I have ever seen a security announcement from the
>Squirrelmail project on a public mailing list.

I completely agree with Matt. This was the idea I wanted to say in my
former post. Don't mix development docs (like changelog) with security
ones (security advisories, etc). IMHO, the correct procedure for
SquirrelMail (or other important project) would be to open a security
section where security announcements were placed and sending _also_
these announcements to security lists (at least, Bugtraq). I'm not a
developper but this is exactly what I usually do if I discover a
security related bug in any piece of software.


PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Reply to: