Bugtraq mailing list archives
Re: Vulnerabilities in KTH Kerberos IV
From: Jouko Pynnonen <jouko () SOLUTIONS FI>
Date: Mon, 11 Dec 2000 00:28:31 +0200
On Sun, 10 Dec 2000, Robert Watson wrote:
Despite being explicitly mentioned in the advisory as an affected operating system and the statement of notification above, the FreeBSD Project was not notified in advance of the release of this advisory. We
I'd like to point out that it was OpenBSD who chose to make the vulnerabilities public at this point, which happened with an advisory and a patch they released almost three days before my Bugtraq posting came out. At this point the details, affected systems, and impact weren't quite clear, as they still aren't. Discussion with KTH Kerberos deveopers and CERT is still underway. I was also prepared to do more than a "minimal effort" to contact other OS vendors concerned, as I've done before. I expected the disclosure to happen at least two or three weeks later due to the complicated nature of the issue. All the response from OpenBSD, which is the sentence "A patch for this was commited" and the advisory on their website after that didn't give me much chance to discuss the disclosure policy. Last time i tried that (concerning the ncurses buffer overflows) OpenBSD proactively released their advisory despite of my request to keep the information private until a schedule has been arranged. The fact that my so-called advisory mentioned FreeBSD as an affected operating system can hardly be seen inappropriate in this situation; it gave FreeBSD users (as well as users of other OS's) a chance to react, which most of them didn't have, as everyone don't keep an eye on the OpenBSD website. Avoiding mentioning FreeBSD or not releasing the information at that point could have been considered "security by obscurity". -- Jouko Pynnonen Online Solutions Ltd Secure your Linux - jouko () solutions fi http://www.secmod.com
Current thread:
- Vulnerabilities in KTH Kerberos IV Jouko Pynnonen (Dec 10)
- Re: Vulnerabilities in KTH Kerberos IV Robert Watson (Dec 11)
- Re: Vulnerabilities in KTH Kerberos IV Jouko Pynnonen (Dec 12)
- Re: Vulnerabilities in KTH Kerberos IV kris (Dec 13)
- Re: Vulnerabilities in KTH Kerberos IV Jouko Pynnonen (Dec 12)
- Re: Vulnerabilities in KTH Kerberos IV Robert Watson (Dec 11)