[227] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (der Mouse)
Mon Nov 28 14:27:07 1994
Date: Mon, 28 Nov 1994 11:19:50 -0500
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
To: 8lgm@bagpuss.demon.co.uk
Cc: bugtraq@fc.net
8lgm folks,
> This advisory has been sent to:
> BUGTRAQ <bugtraq@fc.net>
> [8lgm]-Advisory-12.UNIX.suid_exec.27-Jul-1991
> REPEAT BY:
> Exploit details will not be made available at this time.
> [8lgm]-Advisory-15.UNIX.mail3.28-Nov-1994
> REPEAT BY:
> Exploit details will not be available.
> [8lgm]-Advisory-11.UNIX.sadc.07-Jan-1992
> REPEAT BY:
> Exploit details will not be made available, until patches have
> been provided.
I'm disappointed to see you dropping the disclosure attitude - for
example, I run a NetBSD system that for all I know may be vulnerable to
the mail attack, but your "advisory" is utterly useless to me because
you don't explain enough for me to test for it.
But that's not the main point of my letter. The main point is: bugtraq
is a full-disclosure list. If you've fallen victim to the delusion
that everyone is running vendor software from a vendor that (still
exists and) is responsible about issuing security patches, that's your
choice - but in that case, bugtraq is not an appropriate place to send
your stuff.
And if this keeps up, I'm going to have to ask to be removed from your
list; "advisories" that don't tell me anything but "there is a bug" are
of so little value that the mailbox clutter factor outweighs it. One
of "my" systems is running NetBSD, which has no "vendor", and the other
is a NeXT running a good deal of non-vendor software. Without a way to
test for the presence of holes, such things are of no use at all to me.
der Mouse
mouse@collatz.mcrcim.mcgill.edu
