[NMLUG] Oops! Linux Bug Escapes Early

Matt Grommes nmlug@swcp.com
Fri, 30 Nov 2001 14:31:06 -0700


I agree that this doesn't draw as much attention to the problem as a 
vulnerability announcement does but the info is still out there and by 
neccessity, the code needed to make an is in the patch. If I were a Bad 
Guy looking to hack a site that happens to use wuftpd, wouldn't I be 
interested in any new releases of wuftpd? Again, I can't assume that the 
attackers aren't looking. Plus, if you're an overworked admin with 
dozens of patches coming weekly for dozens of packages, it's easy to let 
a patch slip by if it says it's there to fix some misdirected pointers 
instead of a remotely exploitable security hole. In the case of 
Microsoft patches for example, applying them usually means restarting 
the computer and if it's a server that cannot be done for no reason 
(other than the reasons MS servers restart on their own of course). 
Changelogs that ommit information are another danger alltogether.

I (mostly) agree that exploit discoverers should in most cases* let the 
vendors know about the hole before releasing a full announcement. Making 
sure they haven't told anybody else is hard though and why I say I 
'mostly' agree with that idea.

I _do not_ agree that $DISTRO should hold out on a patch or announcement 
until after other vendors get their patches in gear. This is what I've 
been saying all along and what it seems everybody is so mad at Redhat for.

Again, anything other than full disclosure assumes too much about the 
attackers.


* Many vendors (Microsoft and Allaire spring to mind) have in the past 
completely ignored security warning from outside people until those 
people have released the exploits into the wild with fanfare. These 
companies do not deserve the consideration of warning them as they do 
not seem to care about their users until it's too late.




Warner Losh wrote:

> In message <3C07F332.5070709@spinn.net> Matt Grommes writes:
> : How can Redhat withhold details of a patch and still release the patch? 
> : I guess I just don't understand your position fully.
> 
> By putting the new rpm up on their server with a recommendation to
> upgrade and that details will be forthcoming as of date X.
> 
> Or just put a new version up and say that upgrading is recommended.
> Eg an cryptic "Upgrade to wuftpd 3.1.2p1" is what is typically done,
> or "Fix bug relating to multiple frees of a pointer." which doesn't
> draw attention to it, in and of itself.
> 



			--   Matt Grommes   --
"All these worlds are belong to you, except Europa. Take off no zigs there."

------------------------------------------------------
To UNSUBSCRIBE send a message to nmlug-request@swcp.com
with only the word unsubscribe in the body.  More
information can be found at www.nmlug.org/info.html
-----------------------------------------------------