sendmail/ftpd security-holes raise their ugly heads again...
Paul O'Neill
pvo3366 at sapphire.OCE.ORST.EDU
Thu Sep 28 15:27:54 AEST 1989
In article <21 at minya.UUCP> jc at minya.UUCP (John Chambers) writes:
>
>First, the ethical question. Should I tell anyone? .........
>..............................................We know from much
>experience that most vendors have a history of not welcoming this
>information.
> ...................
>Is this all a hopeless dream, or are we stuck with knowing there are problems
>but that if we're smart, we'll keep quiet about them?
>
Of course tell someone -- the vendor.
What "much experience"? Pure folklore.
What follows is a true story and a picture-perfect example of how security
holes should be handled.
Can you say "mail to a pipe"? I thought so.
Can you say "mail to a pipe without ``debug''"? Ah ha, choked on that one,
didn't ya'?
While working on a mail problem on a Sun 386i I discovered a bug in Sun's
sendmail that allowed just this. Debug was turned off, yet mail to a pipe
was possible.
I told Sun about it. They figured out a fix *that night*.
They had a tape with the fix on it at the next Berkeley Sun Local Users Group
(SLUG) meeting within a week.
They had the fix available for anonymous ftp on uunet.uu.net within a month.
[Have you installed those things from ~ftp/sun-fixes yet? They're there
for a reason, you know.]
So -- now that the vendor has been told, the fix has been propogated and
everyone has had time to install it, it's time to tell the security
mailing list about it.
To summarize:
1) tell the vendor
2) wait
3) tell the [resonably secure] world
Discussion?
Paul O'Neill pvo at oce.orst.edu
Coastal Imaging Lab
OSU--Oceanography
Corvallis, OR 97331 503-754-3251
More information about the Comp.unix.wizards
mailing list