[18883] in bugtraq
Re: summary of recent glibc bugs (Re: SuSE Security Announcement:
daemon@ATHENA.MIT.EDU (Matt Zimmerman)
Tue Jan 30 18:14:47 2001
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010129151715.H2501@alcor.net>
Date: Mon, 29 Jan 2001 15:17:17 -0500
Reply-To: Matt Zimmerman <mdz@DEBIAN.ORG>
From: Matt Zimmerman <mdz@DEBIAN.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010127055525.A20710@openwall.com>; from solar@OPENWALL.COM on
Sat, Jan 27, 2001 at 05:55:25AM +0300
On Sat, Jan 27, 2001 at 05:55:25AM +0300, Solar Designer wrote:
> The glibc 2.2 RESOLV_HOST_CONF bug which prompted this search for bugs was
> reported to Debian by Dale Thatcher but apparently wasn't kept private. The
> remaining bugs were discovered and dealt with within two days following the
> RESOLV_HOST_CONF bug report. As this bug got public, vendors were forced to
> not coordinate the release of updated glibc packages.
It sounds like you're implying that Debian was responsible for publicizing this
bug. This bug was first discussed (this time around) on VULN-DEV, starting
here:
http://archives.neohapsis.com/archives/vuln-dev/2001-q1/0024.html
(dated Sat, 6 Jan 2001 17:23:35 -0500)
Dale Thatcher posted to vuln-dev about the vulnerability in a message dated
"Mon Jan 08 2001 - 10:30:01 CST", which specifically revealed that unstable
Debian was vulnerable.
The bug was reported to Debian by thomas lakofski <thomas@88.net> to
security@debian.org and debian-security@lists.debian.org in a message dated
"Mon, 8 Jan 2001 13:34:52 +0000 (GMT)"
(http://lists.debian.org/debian-security-0101/msg00011.html). Note that
debian-security is a public, archived mailing list, like vuln-dev.
In response to this (public) discussion of the vulnerability, I opened a bug
(http://bugs.debian.org/81587) against the libc6 package (Mon, 8 Jan 2001
10:27:54 -0500) to bring the problem to the attention of the maintainer. Fixed
packages were installed into the archive Thu, 11 Jan 2001 14:57:09 -0500. By
this time, this vulnerability was clearly already public and being actively
explored (and probably exploited).
--
- mdz
