Bugs happen. Perhaps more unusual is that the two problems reported today by Michal Zalewski were fixed nine or more months ago and that the fixed code has been publically available all that time. Number one was fixed as the accidental side effect of a code reorg. Number two was fixed by an explicit bugfix (not thought to be security related at the time). Unfortunately, number two did not feature in Michal's draft advisory that I worked off last week; I'd happily have fixed some technical inaccuracies in his text. This episode is a reminder that bugs don't necessarily go away even when they are fixed. Once the source code goes out the door you no longer control what happens with it. The result is that people can discover old fixed bugs in "brand-new" software. This phenomenon is far from new. As someone told me in private email, Robert Morris Sr. lamented that he personally had fixed some of the security bugs in the UNIX utilities back in the late '70's, but they were still being exploited almost 20 years later. Wietse
This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 09:50:06 PDT