Re: Fwd: Any user can panic OpenBSD machine

From: David Maxwell (davidat_private)
Date: Tue Jul 28 1998 - 05:45:06 PDT

Next message: Jason Thorpe: "Re: Fwd: Any user can panic OpenBSD machine"

Previous message: Aleph One: "Administrivia"
Maybe in reply to: Michael Fuhr: "Fwd: Any user can panic OpenBSD machine"
Next in thread: Jason Thorpe: "Re: Fwd: Any user can panic OpenBSD machine"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 27, 1998 at 09:25:39PM -0400, Angelos D. Keromytis wrote:
>
> In message <19980727180938.41315at_private>, Michael Fuhr writes:
> >
> >disclosure, isn't it?  I for one was appalled at the simplicity of the
> >exploit in what's claimed to be one of the most secure operating
> >systems around, especially since it doesn't appear to be a problem
> >with the other BSDs.
>
> While I'll agree that this is a very lame bug (in the sense that it
> shouldn't exist), one can hardly call it an exploit. It causes a
> machine to crash, but we already know how to do that in 32 different
> ways (and just as easy -- they don't even require a compiled program)
> once you can login (and for some OSes, even without logging in :-)
>
> I don't know why the person who complained did so, but I think he was
> unjustified. You were right to point that this is a full disclosure
> list.
> - -Angelos
>
> PS. The bug was fixed about 1 hour ago.

Sigh. Yes, this is a full disclosure list, but without starting the whole
discussion again - it has been mentioned before that one ought to give a
vendor a reasonable opportunity to respond to any issues before posting them
here. People have given companies like Microsoft (whom I'm no fan of) a week
to respond to more serious issues than this, as long as the vendor is being
responsive and responsible. The OpenBSD PR was ticketed about 24 hours before
your reply stating that it had been fixed - would 24 hours have been an
unreasonable delay - considering that OpenBSD's group was aware of the problem
(hence the PR), considered it 'serious', 'high'-priority, and 'critical', and
marked it as confidential 'yes'? To the earlier response regarding the fact
that this was posted to an OpenBSD list I say this: I doubt that many hackers
monitor the OpenBSD lists in hopes of picking up bugs, while I'm sure many
do monitor Bugtraq. All public forums are not equivalent - I do not feel
distribution in one automatically merits distribution in any other without
consideration.

                                                        David Maxwell

BTW: I don't even run an OpenBSD box, this just felt like a bit of hit-and-run
to me.

Next message: Jason Thorpe: "Re: Fwd: Any user can panic OpenBSD machine"
Previous message: Aleph One: "Administrivia"
Maybe in reply to: Michael Fuhr: "Fwd: Any user can panic OpenBSD machine"
Next in thread: Jason Thorpe: "Re: Fwd: Any user can panic OpenBSD machine"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:59 PDT