Bugtraq mailing list archives

Re: Advisory: mgetty local compromise

From: Mark Stingley <chief () AEGISDATA COM>
Date: Tue, 29 Aug 2000 12:00:40 -0500

I think of vendors as those who distribute the operating system
(commercially comes to mind)
and  people who maintain software as maintainers.  You're right there.  A Linux
vendor fixed it in their distribution, thats what I was talking about.


I'm sorry, but in the Linux world I disagree.  In my opinion, the contact
names in the software package's FAQ, source code, config file, or other
documentation should be considered the priority contact.

As a systems administrator, I'm not about to wait on any Linux distributor to
package something for me, if I consider the vulnerability of any of its
components to be serious to my environment.  If the subject mgetty bug were a
likely candidate for local exploit on any of my systems, I would much prefer
to download a tarball and manually install it -- just the same as most of us
out here did with the Linux 2.2.16 kernel.  We converted to the RedHat RPM
"when" it became available -- we did not WAIT for it.

So, in the future, please contact the maintainer of a software package
directly when it's part of any Linux distribution.  The packager/distributor
should be an info cc:, as far as I'm concerned. Usually, Red Hat has close
enough ties with the individual package maintainers that they will know
immediately when the package has been fixed and can put together their own
distribution RPM as soon as the software component itself has been fixed.

So, thanks for your fine efforts in auditing mgetty.  But, please change your
notification method.

That being said, I would also request that the affected parties please let the
topic die before fine people get their knickers twisted into a wasteful,
hurtful flame war.

Thanks, and keep up the good work.

--
Mark Stingley
:> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :> :>
Aegis Data Systems - LearnLinux            http://www.AegisData.com
501 Elm Street, Suite 350                  http://www.LearnLinux.com
Dallas, Texas 75202                        Phone:  214.752.6433
:> :> Where certification is included with all training courses <: <:

Current thread:

Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
  - Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
  - Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
    - Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
    - Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 29)
    - Re: Advisory: mgetty local compromise Mark Stingley (Aug 30)
- Re: Advisory: mgetty local compromise Chris L. Mason (Aug 30)
  - Re: Advisory: mgetty local compromise Cy Schubert - ITSD Open Systems Group (Aug 31)