Subject: Re: What to do about unfixed vulnerabilities?
To: None <firstname.lastname@example.org, email@example.com>
From: Paul Hoffman <firstname.lastname@example.org>
Date: 10/23/2000 18:24:45
At 7:57 PM -0400 10/23/00, Matthew Orgass wrote:
>On Mon, 23 Oct 2000, Steven M. Bellovin wrote:
>> More to the point, the general thrust of the comment -- that any
>> program with that many uses of known-dangerous functions -- is unlikely
>> to be correct applies on any host.
> Further, warning only about a denial of service attack when there is a
>known remote exploit is very misleading. Pine builds should be disabled
>until there is some reason to believe that it is safe to use (as the
>comment says, not likely anytime soon). The security notice should say
>"don't use pine" and refer to http://www.securityfocus.com/bid/1709 as
>well as the comment.
I disagree with the "don't use pine" part, because...
> I'll confess that I'm writing this from pine, not having had the chance
>to review alternatives yet. Does anyone know of a mail client that is
>close in feel to pine to refer those of us who like pine but don't really
>want to give the world a key to our system?
There is no character-based MUA that is nearly as standards-compliant
as pine. (Well, there are some that have many fewer features that are
more standards-compliant, but you can figure out why....)