On Wed, Dec 12, 2001, vuln-dev wrote: > Hello Readers, > > GOBBLES Labs full disclosure advisory + exploit for popular sniffer > Ettercap. Do not confuse this with GOBBLES-11.txt or GOBBLES-own-ettercap.c > ; this is one of the many remote exploits we wrote for this program. Ok at the full disclosure, but it will be better even check the current CVS tree, before doing useless announces. The new ettercap today was released and fix this and another security holes that you've not found. The day after your first announce, the ettercap developers started to check all static buffer and most of format strings, introduced the strlcpy in the CVS tree and replaced most of sprintf/strcpy with more less error prone strlcpy/strlcat/snprintf. I checked the project at Sat 8 Dec as betatester, and I noticed that still all most of the dissectors were checked against buffer overflows. However every vendor/distro should replace the old version with the 0.6.3. Cheers, deneb. ----------------- Giorgio Zoppi http://www.cli.di.unipi.it/~zoppi/
This archive was generated by hypermail 2b30 : Wed Dec 12 2001 - 18:21:00 PST