Re: Moving ahead
Let me just clarify that I meant candidates, not issues.
Further, those candidates which I have not commented on to date I
On Tue, Jun 15, 1999 at 09:58:43AM -0400, Adam Shostack wrote:
| We have disagreement on a few issues; I'll suggest that Steve put
| those forth one at a time for consideration. I'll also say that to do
| a proper review job, the list was too long; I didn't start it several
| times because I wanted to go through it in one go, and thus my
| response was delayed.
| In addition, I want to raise three more, now that I've finished
| looking into them.
| CAN-1999-0014 we have insufficient data if a new CDE dtappgather bug
| comes out to determine if its new or a re-invention. (REJECT)
| CAN-1999-0032 the mention of (lp) is misleading. The problem was with
| the BSD lpr family, not the SYSV lp family. (MODIFY)
| CAN-1999-0099 the problem was demonstrated publicly through sendmail,
| there is no reason to expect it could not be used through another
| program. Suggest phrasing: "A buffer overflow in syslog which was
| demonstrably exploitable via sendmail." (MODIFY)