Re: summary of recent glibc bugs (Re: SuSE Security Announcement: shlibs/glibc (SuSE-SA:2001:01))

[Matt Zimmerman <mdz () DEBIAN ORG>]

On Sat, Jan 27, 2001 at 05:55:25AM +0300, Solar Designer wrote:

> The glibc 2.2 RESOLV_HOST_CONF bug which prompted this search for bugs was
> reported to Debian by Dale Thatcher but apparently wasn't kept private.  The
> remaining bugs were discovered and dealt with within two days following the
> RESOLV_HOST_CONF bug report.  As this bug got public, vendors were forced to
> not coordinate the release of updated glibc packages.

It sounds like you're implying that Debian was responsible for publicizing this
bug.  This bug was first discussed (this time around) on VULN-DEV, starting
here:

http://archives.neohapsis.com/archives/vuln-dev/2001-q1/0024.html
(dated Sat, 6 Jan 2001 17:23:35 -0500)

Dale Thatcher posted to vuln-dev about the vulnerability in a message dated
"Mon Jan 08 2001 - 10:30:01 CST", which specifically revealed that unstable
Debian was vulnerable.

The bug was reported to Debian by thomas lakofski <thomas () 88 net> to
security () debian org and debian-security () lists debian org in a message dated
"Mon, 8 Jan 2001 13:34:52 +0000 (GMT)"
(http://lists.debian.org/debian-security-0101/msg00011.html).  Note that
debian-security is a public, archived mailing list, like vuln-dev.

In response to this (public) discussion of the vulnerability, I opened a bug
(http://bugs.debian.org/81587) against the libc6 package (Mon, 8 Jan 2001
10:27:54 -0500) to bring the problem to the attention of the maintainer.  Fixed
packages were installed into the archive Thu, 11 Jan 2001 14:57:09 -0500.  By
this time, this vulnerability was clearly already public and being actively
explored (and probably exploited).

--
 - mdz