[2217] in bugtraq
Re: Linux NIS security problem hole and fix
daemon@ATHENA.MIT.EDU (System Administrator)
Fri Sep 8 10:17:09 1995
Date: Fri, 8 Sep 1995 10:38:38 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: System Administrator <root@iifeak.swan.ac.uk>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <Pine.D-G.3.91.950907130610.10131E-100000@hopi.dtcc.edu> from
"Ken Weaverling" at Sep 7, 95 01:15:58 pm
> I was told by someone that this hole is "well known" and has been discussed
> on the LINUX security list for a while now. A few people have emailed me
> telling me what it was too, so it is obvious that this is "known" about.
It was reported, noted and fix a long time ago.
> I am now even more a believer of full disclosure. We purchased a commercial
> version of LINUX just a little while ago, and the hole exists. How am
> I supposed to protect stuff if I don't even know about it? Sigh....
Bugtraq and the linux-security mailing lists are probably the best resources.
We do also pass Linux bugs onto cert but while people like dfn-cert (germany)
actively log and issue info about such things US cert appears a total waste
of effort. I think every actual alert that linux-security finds also gets
onto bugtraq.
> CERT advised me of the above fix. They couldn't test the fix since they
> don't have a LINUX machine anywhere. Pretty incredible that no one at
> CERT runs a free Unix that can run on a 386 with 4 megs...
I'll have a word with a few people. Maybe a vendor will send them a free CD
if I point this out to them.
Alan
