Re: Vulnerabilities in KTH Kerberos IV

[Jouko Pynnonen <jouko () SOLUTIONS FI>]

On Sun, 10 Dec 2000, Robert Watson wrote:

> Despite being explicitly mentioned in the advisory as an affected
> operating system and the statement of notification above, the FreeBSD
> Project was not notified in advance of the release of this advisory.  We

I'd like to point out that it was OpenBSD who chose to make the
vulnerabilities public at this point, which happened with an advisory and
a patch they released almost three days before my Bugtraq posting came
out.

At this point the details, affected systems, and impact weren't quite
clear, as they still aren't. Discussion with KTH Kerberos deveopers and
CERT is still underway. I was also prepared to do more than a "minimal
effort" to contact other OS vendors concerned, as I've done before.

I expected the disclosure to happen at least two or three weeks later due
to the complicated nature of the issue. All the response from OpenBSD,
which is the sentence "A patch for this was commited" and the advisory
on their website after that didn't give me much chance to discuss the
disclosure policy. Last time i tried that (concerning the ncurses buffer
overflows) OpenBSD proactively released their advisory despite of my
request to keep the information private until a schedule has been
arranged.

The fact that my so-called advisory mentioned FreeBSD as an affected
operating system can hardly be seen inappropriate in this situation; it
gave FreeBSD users (as well as users of other OS's) a chance to react,
which most of them didn't have, as everyone don't keep an eye on the
OpenBSD website. Avoiding mentioning FreeBSD or not releasing the
information at that point could have been considered "security by
obscurity".



--
Jouko Pynnonen           Online Solutions Ltd      Secure your Linux -
jouko () solutions fi                                 http://www.secmod.com