On Mon, Jul 27, 1998 at 09:25:39PM -0400, Angelos D. Keromytis wrote: > > In message <19980727180938.41315at_private>, Michael Fuhr writes: > > > >disclosure, isn't it? I for one was appalled at the simplicity of the > >exploit in what's claimed to be one of the most secure operating > >systems around, especially since it doesn't appear to be a problem > >with the other BSDs. > > While I'll agree that this is a very lame bug (in the sense that it > shouldn't exist), one can hardly call it an exploit. It causes a > machine to crash, but we already know how to do that in 32 different > ways (and just as easy -- they don't even require a compiled program) > once you can login (and for some OSes, even without logging in :-) > > I don't know why the person who complained did so, but I think he was > unjustified. You were right to point that this is a full disclosure > list. > - -Angelos > > PS. The bug was fixed about 1 hour ago. Sigh. Yes, this is a full disclosure list, but without starting the whole discussion again - it has been mentioned before that one ought to give a vendor a reasonable opportunity to respond to any issues before posting them here. People have given companies like Microsoft (whom I'm no fan of) a week to respond to more serious issues than this, as long as the vendor is being responsive and responsible. The OpenBSD PR was ticketed about 24 hours before your reply stating that it had been fixed - would 24 hours have been an unreasonable delay - considering that OpenBSD's group was aware of the problem (hence the PR), considered it 'serious', 'high'-priority, and 'critical', and marked it as confidential 'yes'? To the earlier response regarding the fact that this was posted to an OpenBSD list I say this: I doubt that many hackers monitor the OpenBSD lists in hopes of picking up bugs, while I'm sure many do monitor Bugtraq. All public forums are not equivalent - I do not feel distribution in one automatically merits distribution in any other without consideration. David Maxwell BTW: I don't even run an OpenBSD box, this just felt like a bit of hit-and-run to me.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:59 PDT