[2134] in bugtraq
Re: BUGTRAQ ALERT: Solaris 2.x vulnerability
daemon@ATHENA.MIT.EDU (Scott Chasin)
Fri Aug 18 12:13:07 1995
Date: Fri, 18 Aug 1995 10:03:33 MDT
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Scott Chasin <chasin@CRIMELAB.COM>
X-To: bugtraq@crimelab.com
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199508181449.KAA26627@netspace.org> from "L-Soft list server at
NETSPACE.ORG" at Aug 18, 95 10:49:19 am
[casper@HOLLAND.SUN.COM wrote]:
> > Just to add my two cents to the discussion:
> > - this is a known problem
> So why wasn't it more publically announced. Sun could easily have issued a
> new binary very publically and without saying what they had fixed.
>
Mark Graff relayed to me that Sun has known about this for about 2 weeks
or so.
[casper@HOLLAND.SUN.COM wrote]:
> > - it is fixed in 2.5 (by using fchown, not chown, both versions of ps)
Apparently this is *NOT* fixed in the 2.5 release. At least not the copy I
have. And I believe someone else has contested to this fact as well.
> So why didnt you tell people instead of negligently leaving them exposed
This is the old full-disclosure debate. I don't think we should be getting
into this here.
> Otherwise known as the majority of people who are less technically clued up.
> Vendors need to improve their methods.
>
> Alan
--Scott
chasin@crimelab.com
