[7401] in bugtraq
Re: Fwd: Any user can panic OpenBSD machine
daemon@ATHENA.MIT.EDU (Michael Fuhr)
Mon Jul 27 21:03:58 1998
Date: Mon, 27 Jul 1998 18:09:38 -0600
Reply-To: Michael Fuhr <mfuhr@DIMENSIONAL.COM>
From: Michael Fuhr <mfuhr@DIMENSIONAL.COM>
X-To: David Maxwell <david@WWW.FUNDY.CA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980727160049.39621@www.fundy.ca>; from David Maxwell on Mon,
Jul 27, 1998 at 04:00:49PM -0300
On Mon, Jul 27, 1998 at 04:00:49PM -0300, David Maxwell wrote:
> Since this bug is explicitly marked confidential, and was only opened today,
> would it not have been reasonable to delay forwarding this. Given that the
> OpenBSD people are particularly enthusiastic about security auditing, I expect
> it will be fixed quickly.
In response to this, and in response to the person who privately called
my forwarding of the bug report "lameness," I have this to say: The
bug report was forwarded to some OpenBSD list to which I must have
subscribed at one time. If the OpenBSD listfolk didn't want the bug
known about then they should have kept it amongst the developers. The
bug had already been made public in one forum; I simply brought it to
the attention of this one. Apparently the moderator didn't have any
qualms about approving it for distribution -- this list *is* about full
disclosure, isn't it? I for one was appalled at the simplicity of the
exploit in what's claimed to be one of the most secure operating
systems around, especially since it doesn't appear to be a problem
with the other BSDs.
Black hats distribute these kind of exploits quickly. Let's make sure a
few white hats know about them too.
--
Michael Fuhr
http://www.fuhr.net/~mfuhr/
