[18907] in bugtraq
Re: summary of recent glibc bugs (Re: SuSE Security Announcement:
daemon@ATHENA.MIT.EDU (Solar Designer)
Wed Jan 31 13:59:36 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010131115243.A26360@openwall.com>
Date: Wed, 31 Jan 2001 11:52:43 +0300
Reply-To: Solar Designer <solar@OPENWALL.COM>
From: Solar Designer <solar@OPENWALL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010129151715.H2501@alcor.net>; from mdz@DEBIAN.ORG on Mon,
Jan 29, 2001 at 03:17:17PM -0500
On Mon, Jan 29, 2001 at 03:17:17PM -0500, Matt Zimmerman wrote:
> On Sat, Jan 27, 2001 at 05:55:25AM +0300, Solar Designer wrote:
> > The glibc 2.2 RESOLV_HOST_CONF bug which prompted this search for bugs was
> > reported to Debian by Dale Thatcher but apparently wasn't kept private. The
> > remaining bugs were discovered and dealt with within two days following the
> > RESOLV_HOST_CONF bug report. As this bug got public, vendors were forced to
> > not coordinate the release of updated glibc packages.
>
> It sounds like you're implying that Debian was responsible for publicizing this
> bug.
Of course not, but I should have been more explicit about that as
some people definitely read it this way. Sorry for that, :-( and
thanks for your detailed explanation.
> This bug was first discussed (this time around) on VULN-DEV, starting
> here:
>
> http://archives.neohapsis.com/archives/vuln-dev/2001-q1/0024.html
> (dated Sat, 6 Jan 2001 17:23:35 -0500)
>
> Dale Thatcher posted to vuln-dev about the vulnerability in a message dated
> "Mon Jan 08 2001 - 10:30:01 CST", which specifically revealed that unstable
> Debian was vulnerable.
>
> The bug was reported to Debian by thomas lakofski <thomas@88.net> to
> security@debian.org and debian-security@lists.debian.org in a message dated
> "Mon, 8 Jan 2001 13:34:52 +0000 (GMT)"
> (http://lists.debian.org/debian-security-0101/msg00011.html). Note that
> debian-security is a public, archived mailing list, like vuln-dev.
>
> In response to this (public) discussion of the vulnerability, I opened a bug
> (http://bugs.debian.org/81587) against the libc6 package (Mon, 8 Jan 2001
> 10:27:54 -0500) to bring the problem to the attention of the maintainer. Fixed
> packages were installed into the archive Thu, 11 Jan 2001 14:57:09 -0500. By
> this time, this vulnerability was clearly already public and being actively
> explored (and probably exploited).
--
/sd
