Bugtraq mailing list archives
Re: Advisory: mgetty local compromise
From: Gert Doering <gert () GREENIE MUC DE>
Date: Sat, 26 Aug 2000 16:56:12 +0200
Hi, On Sat, Aug 26, 2000 at 10:45:35AM -0400, Stan Bubrouski wrote:
On Sat, Aug 26, 2000 at 02:23:05AM -0400, Stan Bubrouski wrote:Author : Stan Bubrouski Date : August 26, 2000 Package : mgetty Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
[..]
First of all, this hole does NOT exist anymore in 1.1.22. It has been reported to me by the FreeBSD people, and closed on August 14, 2000.Yeah and this report was constructed based on what I wrote on June 2nd and was subsequently ignored.
You never reported it to *me*. It's pretty clear from all the documentation that I wrote mgetty+sendfax and still maintain it. You reported it to "some Linux vendor" (which is good, indeed, but not sufficient). Actually, if you look at the bugzilla ID that you quote, you see that I did respond to it, after one of the FreeBSD crowd pointed me to it.
1.1.22 has been released on August 17, 2000, and can be found on the usual places (http://alpha.greenie.net/mgetty/).Yeah I know. It was an error. I meant to put that in a "Versions unaffected:" row, but for some reason left on the same line as unaffected.
*sigh*
See I had actually reported this to bugtraq over two months ago,
You haven't. You have reported this to RedHat's "bugzilla" database, which is something completely different. Checking the bugtraq archives, there are exactly two articles containing the word "faxrunq". Both are written by me, in July 1997 - seems that your article from today is not yet indexed. Other articles from July this year are certainly visible.
and only one vendor addressed the problem and they did it covertly so nobody knew.
The "vendor" of mgetty+sendfax is *me*. You have not notified me, or the mgetty mailing list. [..]
I only made this report to clarify the vulnerability and because it had now been fixed.
In that case, please re-read the stuff before you post. What you did was to cause much fuzz, much panic ("what, 1.1.22 vulnerable as well?"), and no good. The fact that there was this bug in 1.1.21 has been clearly reported in the mgetty list (and it's in the ChangeLog), and Linux distribution vendors usually pick up new releases quite quickly, so they should have fixed versions available RSN. [..]
Second, I am really annoyed to find this on bugtraq, with false data, without any prior contact. The fact that I just released 1.1.22 should give you enough hint that I am still maintaining mgetty, and sending me a quick mal "hey, is this bug still open?" would have been in order.Not sure I understand this. I thought thats what vendors usually want. A report on a vulnerability after a patch or fix is available.
Huh? Vendors want the report on the vulnerability when you know about a problem, to be able to *develop* a fix. How do you think a vendor can develop a fix if you don't tell 'em? (Maybe we have different views what a "vendor" is. For mgetty+sendfax, I am, as the main author and coordinator).
If this is not the case please let me know, I have scathing holes in other software that are not public because they have yet to be fixed. Get real. I don't get embarressed by a simple typo, do you?
You better should. Claiming publically that something is vulnerable, even giving version numbers, when you really should know that it's fixed should be embarassing. That's much more than a "simple typo". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert () greenie muc de fax: +49-89-35655025 gert.doering () physik tu-muenchen de
Current thread:
- Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 29)
- Re: Advisory: mgetty local compromise Mark Stingley (Aug 30)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Cy Schubert - ITSD Open Systems Group (Aug 31)