Bugtraq mailing list archives
Re: Napster, Inc. response to Colten Edwards
From: Dylan_G () BIGFOOT COM (Dylan Griffiths)
Date: Thu, 30 Mar 2000 18:48:40 -0600
Jordan Ritter <jpr5 () napster com> wrote:
Approximately one hour after receiving the post from BugTraq, Napster's servers were patched to prevent this from occurring. Users of the Napster Win32 client software are NOT vulnerable.
As long as the client has a buffer overflow, it is vulnerable. OpenNAP servers ( http://opennap.sourceforge.net/ ), for example, are an unknown because has checked to see if they do sanity checking on the messages they pass for clients. Any one using Win32 Napter on any non-Napster server is potentially vulnerable. Additionally, it could be possible for the other client to overflow another part of the client. Has the code been audited? It doesn't seem it has been, so this claim is unfounded. Please audit your code, and then inform the public of a truly safe build.
This situation is particularly disturbing to us, as Mr. Edwards' malicious intent becomes painfully obvious from the tone and candor of his post. To the best of our knowledge, the general policy on BugTraq is that vendors should be notified of issues and given a reasonable amount of time to address the problem, so as to avoid unnecessary risk to the vendor's customers. A meaningful
To the best of my knowledge, Elias Levy moderates into the list any mails pertaining to a security issue in a product, such as an overflow in as Napster, which is in fairly wide-spread usage. There are no guarantees of service for companies who want a "breather" period. If you wish to stay abreast of these security issues, subscribe to Bugtraq like everyone else. I'd also suggest, as you work with the Win32 platform, that you subscribe to NTBugtraq as well, as they tend to carry the more esoteric Win32 security issues. -- Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
Current thread:
- Hide Drives does not work with OUTLOOK 98 - Summary of Answers (W InNT4), (continued)
- Hide Drives does not work with OUTLOOK 98 - Summary of Answers (W InNT4) DeAvillez, Carlos (Mar 24)
- Windows 2000 Internet Server Security Configuration Tool Microsoft Security Response Center (Mar 24)
- Irix Objectserver remote exploit Marcy Abene (Mar 29)
- New ZZ v1.2 Simple Nomad (Mar 29)
- [RHSA-2000:008-01] ircii buffer overflow bugzilla () REDHAT COM (Mar 30)
- Microsoft Security Bulletin (MS00-019) Microsoft Product Security (Mar 30)
- Microsoft Security Bulletin (MS00-021) Microsoft Product Security (Mar 30)
- Napster, Inc. response to Colten Edwards Elias Levy (Mar 30)
- Cobalt apache configuration exposes .htaccess Paul Schreiber (Mar 30)
- Re: Napster, Inc. response to Colten Edwards Danny Crawford (Mar 30)
- Re: Napster, Inc. response to Colten Edwards Dylan Griffiths (Mar 30)
- Alert: MS Index Server (CISADV000330) Cerberus Security Team (Mar 30)
- Webstar 4.0 Buffer overflow vulnerability Ilhom Djalilov (Mar 31)
- Microsoft Security Bulletin (MS00-006) Microsoft Product Security (Mar 31)
- [ Cobalt ] Security Advisory -- 03.31.2000 Jeff Lovell (Mar 31)
- SalesLogix Eviewer Web App Bug: URL request crashes eviewer web application Todd Beebe (Mar 31)
- Windmail allow web user get any file Frankie Zie (Mar 25)
- Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 26)
- Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 31)