Bugtraq mailing list archives
Re: Advisory: mgetty local compromise
From: Mark Stingley <chief () AEGISDATA COM>
Date: Tue, 29 Aug 2000 12:00:40 -0500
I think of vendors as those who distribute the operating system (commercially comes to mind) and people who maintain software as maintainers. You're right there. A Linux vendor fixed it in their distribution, thats what I was talking about.
I'm sorry, but in the Linux world I disagree. In my opinion, the contact names in the software package's FAQ, source code, config file, or other documentation should be considered the priority contact. As a systems administrator, I'm not about to wait on any Linux distributor to package something for me, if I consider the vulnerability of any of its components to be serious to my environment. If the subject mgetty bug were a likely candidate for local exploit on any of my systems, I would much prefer to download a tarball and manually install it -- just the same as most of us out here did with the Linux 2.2.16 kernel. We converted to the RedHat RPM "when" it became available -- we did not WAIT for it. So, in the future, please contact the maintainer of a software package directly when it's part of any Linux distribution. The packager/distributor should be an info cc:, as far as I'm concerned. Usually, Red Hat has close enough ties with the individual package maintainers that they will know immediately when the package has been fixed and can put together their own distribution RPM as soon as the software component itself has been fixed. So, thanks for your fine efforts in auditing mgetty. But, please change your notification method. That being said, I would also request that the affected parties please let the topic die before fine people get their knickers twisted into a wasteful, hurtful flame war. Thanks, and keep up the good work. -- Mark Stingley :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> Aegis Data Systems - LearnLinux http://www.AegisData.com 501 Elm Street, Suite 350 http://www.LearnLinux.com Dallas, Texas 75202 Phone: 214.752.6433 :> :> Where certification is included with all training courses <: <:
Current thread:
- Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 29)
- Re: Advisory: mgetty local compromise Mark Stingley (Aug 30)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Cy Schubert - ITSD Open Systems Group (Aug 31)