If if walks like a sale, and talks like a sale, then it is a sale.
And implicit warranties apply. And cannot be disclaimed.
In short, if you do something that resembles a sale too closely, whether you call it a sale or licensing, whether the direct sale was with you or a third party with permission to relicense, you are liable.
If you give it away, you are fine. But anyone who is selling a CD with open source software is taking on that liability. (And that liability is exactly what you are selling.)
This would put software on approximately the same grounds that everything else is. If I sell you a hammer which is prone to twisting and knocking the nail into you, I am liable. If I sell you email software which is prone to well-known macro viruses, I should be also. Whether or not I try to pull a fast one and claim that I didn't really sell you anything.
And in the same vein, if Microsoft and a bug-finder agree not to avoid telling consumers of a serious consumer risk for extended periods, that is collusion and should be treated as such.
The whole industry would howl over that. But I think it is fair. Software companies shouldn't be allowed to do an end-run around existing liability laws. Sure it is harder. But does anyone think that designing safer cars is easy on Detroit? What makes software special? That most programmers are incompetent? I think not!
Cheers,
Ben