[6759] in bugtraq
Re: SN 4.0 huge security hole
daemon@ATHENA.MIT.EDU (Michael Tiemann)
Wed May 13 21:50:38 1998
Date: Wed, 13 May 1998 17:21:40 -0700
Reply-To: Michael Tiemann <tiemann@CYGNUS.COM>
From: Michael Tiemann <tiemann@CYGNUS.COM>
X-To: Elmer Joandi <elmer_j@ut.ee>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 14 May 1998 01:25:05 PDT."
<Pine.GSO.3.96.980514012216.17472A-100000@madli.ut.ee>
Your message has been received, understood, and a technical fix has been
implemented and is being tested. We have disabled ftp downloads of
SN-Lite for all platforms, and have already formulated a fix. We are
contacting CERT to post a proper advisory and fix.
I would ask that in the future, you follow proper security notification
protocol, which is to attempt to contact the vendor with such problems
first, so that immediate action can be taken to resolve the problem
before widely exposing the vulnerability. You should reserve public
exposure for the rare cases that the vendor ignores your warning. As it
is, you have probably induced several enterprising crackers to attempt
to exploit this vulnerability in the few hours it will take us to
re-spin all the software, and thus you are the one who would be liable
for any mis-use of this bug.
Please direct your followups to myself, not the lists that I have ack'd
your message to. Thanks,
Michael Tiemann
