I think you should give the Rainbow users a chance to grab the new source before distributing the details on the bug.  Once the details of the bug are published, it will be a lot easier for malicious users [of all skill types] to hack Rainbow sites.  I think a week or so since publishing the fix is adaquate.

 

Jason

 

 

 

 

-----Original Message-----
From: rainbowportal-devel-admin@lists.sourceforge.net [mailto:rainbowportal-devel-admin@lists.sourceforge.net] On Behalf Of John M
Sent: Monday, April 05, 2004 1:27 PM
To: j.szepan@feuerwehrmann.de; rainbowportal-devel@lists.sourceforge.net
Subject: RE: [Rainbowportal-devel] How to handle secuirty bugs? (was: Rainbow Portal Release Candidate 3)

 

I was debating that one myself.....but since there are so many rainbow websites out there (And quite a lot of them listed on the rainbow site) I didn't want to post the exact problem but rather give people a chance to get the latest version and then maybe a week later say what the problem was.

What's the general opinion on this one?

John

>From: "Joerg Szepan" <j.szepan@feuerwehrmann.de>

>To: <rainbowportal-devel@lists.sourceforge.net>

>Subject: [Rainbowportal-devel] How to handle secuirty bugs? (was: Rainbow Portal Release Candidate 3)

>Date: Mon, 5 Apr 2004 20:20:48 +0200

>

>Hi guys,

>

>within that new version ist also a security bug fixed. That is great,

>but for my situation: I can't easy update to that version, because I

>did to much changes to an older version. May there are some other

>outside with the same problem.

>May it isn't a good idea to call out a securitybug and how to fixed

>it, but it would be great to know where the problem is and what I have

>to change to fix it.

>I didn't find any word, where the problem is right know.

>Would't it better to talk/write about the problem in public and

>discuss a/the solution?

>

>kind regards

>

>Joerg

>-----Original Message-----

>From: rainbowportal-devel-admin@lists.sourceforge.net

>[mailto:rainbowportal-devel-admin@lists.sourceforge.net] On Behalf Of

>John M

>Sent: Sunday, April 04, 2004 10:46 PM

>To: rainbowportal-devel@lists.sourceforge.net

>Subject: [Rainbowportal-devel] Rainbow Portal Release Candidate 3

>

>

>Hi all,

>

>Just to let you know that I have packaged the latest cvs as release

>candidate 3. It's more stable than RC2 and contains an important

>security fix.

>

>Please note that the security problem is not something to take likely

>and I recomend you upgrade your site and your client's sites straight

>away.

>

>The link to sf is

>http://prdownloads.sourceforge.net/rainbowportal/Rainbow-RC3.zip?downl

>oad

>

>Regards,

>

>John

>

>

>

>-------------------------------------------------------

>This SF.Net email is sponsored by: IBM Linux Tutorials

>Free Linux tutorial presented by Daniel Robbins, President and CEO of

>GenToo technologies. Learn everything from fundamentals to system

>administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click

>_______________________________________________

>Rainbowportal-devel mailing list

>Rainbowportal-devel@lists.sourceforge.net

>https://lists.sourceforge.net/lists/listinfo/rainbowportal-devel



Stay in touch better and keep protected online with MSN’s NEW all-in-one Premium Services. Find out more here.

------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Rainbowportal-devel mailing list Rainbowportal-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rainbowportal-devel