[NMLUG] Oops! Linux Bug Escapes Early

Warner Losh nmlug@swcp.com
Fri, 30 Nov 2001 10:18:48 -0700


In message <3C07BD23.C05F13D0@boim.com> Aaron Birenboim writes:
: I don't understand yet.  Matt makes sense to me.
: Why not release a patch ASAP?

BECAUSE IT TAKES TIME TO GENERATE, INTEGRATE AND TEST THE PATCH.

I might have the time today, but my friend might not have the time
until tomorrow.  If I release today, I screw all the folks that depend
on my friend's system (eg Redhat linux vs NetBSD).  If I delay until
my friend has the time, then both the systems will have an upgrade
path when the exploit hits the street.

: Is it that the hackers read the patch to make exploits?

Yes.  Usually very quickly.  Lots of people make exploits from kits.
The last exploit I wrote took me 20 minutes.

: Hence the hackers get the RedHat patch, ane make exploits before
: most systems are fixed?

Yes.  That's right.

: BTW...   I run FreeBSD.  Can I assume that my ftpd is free of this
: hole?  (WU-ftpd claims to be BASED on *BSD's ftpd)

FreeBSD's ftpd has been free of the last 10 wuftpd holes.  wu-ftpd was
based on the net2 ftpd.  We went through and fixed a lot of things in
our ftpd years ago.

Warner
------------------------------------------------------
To UNSUBSCRIBE send a message to nmlug-request@swcp.com
with only the word unsubscribe in the body.  More
information can be found at www.nmlug.org/info.html
-----------------------------------------------------