Bugtraq mailing list archives
Re: NT RPC Hotfix
From: volobuev () t1 chem umn edu (Yuri Volobuev)
Date: Fri, 24 Jan 1997 15:00:46 -0600
deside which companies survive and which don't. I also know that when a bug comes out that a workaround can commonly be done in a few hours, and I
An off-topic note. I'm not doing programming for living, so I'm not an authority, but I want to say that I totally agree with above statement. There are very few bugs that require some serious changes to the code. Most common ones are very easy to fix, and it's usually a no-brainer. One of the reasons Unix (and other) vendors give when the patch takes forever to get through is "extensive testing". I don't want to make blanket statements, but look at an example. Some of you may remember "happy end" netprint story (for those who don't: there was a root hole in netprint program, part of Irix. I reported problem to SGI, but didn't go public, for testing purposes. In about a month, a patch was released). They took their time to make that patch. AUSCERT folks proposed putting in a wrapper, which would neutralize the problem, but I insisted that because of the complexity of the problem it's better to wait for a real patch, wrapper may screw something up. Well, that's what being young and unexperienced is all about, blindly believing in something one should never believe in. I thought that since patch is from SGI, and thay got time to test it, it should work, so I didn't even bother testing it myself, and went on with New Year celebration. Guess what: the patch breaks entire printing thing. Simple as that. On all my Irix 5.3 boxes netprint, when invoked _by_ lp, complains that it should be run by lp and quits. So I ended up putting a wrapper in place that calls real netprint as root. May be I've done something stupid myself, but I don't think so. Morale? Month worth of waiting was basically wasted. The fact that vendor has time to test something doesn't mean anything. So "hot" fixes and "carefully tested" fixes don't differ so much, on an average. yuri Always speaking for myself and only for myself
Current thread:
- NT RPC Hotfix Aleph One (Jan 23)
- Re: NT RPC Hotfix dsiebert () icaen uiowa edu (Jan 23)
- AOL client port and possible security risk. Sami A. Yousif (Jan 23)
- Re: NT RPC Hotfix Darren Reed (Jan 24)
- <Possible follow-ups>
- Re: NT RPC Hotfix Brad.Powell (Jan 24)
- Re: NT RPC Hotfix Yuri Volobuev (Jan 24)
- GNU tar vulnerability Ben Elliston (Jan 24)
- [NTSEC] NT vulnerable to DOS attack on more than just port 135 Bob Beck (Jan 25)