> -----Original Message----- > From: Andreas Bogk [SMTP:ichat_private] > Sent: Tuesday, January 05, 1999 4:41 AM > To: BUGTRAQat_private > Subject: Re: SUN almost has a clue! (automountd) > > On Mon, Jan 04, 1999 at 05:38:46PM -0800, Friedrichs, Oliver wrote: > > It was never publicly noted, since the problem hasn't been fixed > > yet (and as a security company, we aren't in the habit of > > disclosing bugs which aren't fixed), however many people knew > [Huger, Alfred] Experience shows that vendors don't move unless the bug is disclosed The NAI Labs team which discovered the bug (apparently independently of the previous poster) is the former SNI Team, insinuating that we are not full disclosure would be entirely incorrect. Take a few minutes and check the Bugtraq list archives for the last 2 years, you will see significant participation from our team, from the infancy of this list up to now. This bug simply did not strike us as an 'immediate post' issue. Had we felt it was (and we will still do not think this is the case) we would have released an advisory and hopefully received vendor support. If you looked at the 30 advisories we have released to this list you would note instances where we posted with vendor support and instances where we did not. This issue simply was not important enough to expedite and post without vendor support. And all the script kiddies out there are probably very grateful for that Garbage, this insinuates we are somehow culpable for break-ins because of the 'status-bounce' issue. Perhaps you should re-read the post containing the description of the problem. The only 'get-root' here is the automount problem for which there has been a patch available for some time. If a machine has fallen prey to an attack via automount, the delivery mechanism is not the issue here. Not only is this flippant remark misdirected, it's cheap. > --
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:33 PDT