Bugtraq mailing list archives
Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?
From: Gadi Evron <ge () linuxbox org>
Date: Wed, 14 Feb 2007 19:02:29 -0600 (CST)
On Thu, 15 Feb 2007, Joep Vesseur wrote:
Gadi,[...] One note: although it could just as well be a bug, who says it was not a backdoor in the early 90's?>Also, I understand this does not work on older Solaris/SunOS systems (anyone can verify?)I can. It is not present in anything before Solaris 10.which adds to my personal interest in the possibility. I refuse to believe someone is that funny/sad.Not sure what you mean here... You don't believe this is a (very unfortunate) accident? From where I stand (pretty close to the fire) this is pretty much what it looks like (an extended multi-file, multi-entrance-point change with unforseen and unnoticed interdependencies).
This needs to be further discussed, as your response here has been awe-striking. The remote possibility was raised, and for several reasons: 1. It just didn't seem to be possible such a vulnerability would exist, yet it does. 2. It was a remote one (not raised by me, btw) which I wanted answers for rather than let it die under the usual flames. 3. It was raised, we needed to discuss it. Sun has been completely visible and did full-disclosure on the vulnerability, how it got there, etc. I have to tip my hat to you and thank you for your help with this. I believe the entire industry should thank you, and follow your lead. This is the first case where I have seen a vendor respond in such fashion. It is to be commended yet again. You have proven what being open with the community can achieve. This is a serious F up on the side of Sun. Everyone makes mistakes and incidents will happen no matter what. What matters here is how you responded to the incident when it did happen. Gadi.
Joep
Current thread:
- Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? Thierry Zoller (Feb 12)
- RE: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? Michael Wojcik (Feb 13)
- Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? Casper . Dik (Feb 13)
- RE: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? Gadi Evron (Feb 14)
- Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? Joep Vesseur (Feb 15)
- Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? Gadi Evron (Feb 15)
- Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - Darren Reed (Feb 15)
- RE: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? Michael Wojcik (Feb 13)