Bugtraq mailing list archives
Re: summary of recent glibc bugs (Re: SuSE Security Announcement: shlibs/glibc (SuSE-SA:2001:01))
From: Matt Zimmerman <mdz () DEBIAN ORG>
Date: Mon, 29 Jan 2001 15:17:17 -0500
On Sat, Jan 27, 2001 at 05:55:25AM +0300, Solar Designer wrote:
The glibc 2.2 RESOLV_HOST_CONF bug which prompted this search for bugs was reported to Debian by Dale Thatcher but apparently wasn't kept private. The remaining bugs were discovered and dealt with within two days following the RESOLV_HOST_CONF bug report. As this bug got public, vendors were forced to not coordinate the release of updated glibc packages.
It sounds like you're implying that Debian was responsible for publicizing this bug. This bug was first discussed (this time around) on VULN-DEV, starting here: http://archives.neohapsis.com/archives/vuln-dev/2001-q1/0024.html (dated Sat, 6 Jan 2001 17:23:35 -0500) Dale Thatcher posted to vuln-dev about the vulnerability in a message dated "Mon Jan 08 2001 - 10:30:01 CST", which specifically revealed that unstable Debian was vulnerable. The bug was reported to Debian by thomas lakofski <thomas () 88 net> to security () debian org and debian-security () lists debian org in a message dated "Mon, 8 Jan 2001 13:34:52 +0000 (GMT)" (http://lists.debian.org/debian-security-0101/msg00011.html). Note that debian-security is a public, archived mailing list, like vuln-dev. In response to this (public) discussion of the vulnerability, I opened a bug (http://bugs.debian.org/81587) against the libc6 package (Mon, 8 Jan 2001 10:27:54 -0500) to bring the problem to the attention of the maintainer. Fixed packages were installed into the archive Thu, 11 Jan 2001 14:57:09 -0500. By this time, this vulnerability was clearly already public and being actively explored (and probably exploited). -- - mdz
Current thread:
- SuSE Security Announcement: shlibs/glibc (SuSE-SA:2001:01) Roman Drahtmueller (Jan 26)
- summary of recent glibc bugs (Re: SuSE Security Announcement: shlibs/glibc (SuSE-SA:2001:01)) Solar Designer (Jan 29)
- Re: summary of recent glibc bugs (Re: SuSE Security Announcement: shlibs/glibc (SuSE-SA:2001:01)) Matt Zimmerman (Jan 30)
- summary of recent glibc bugs (Re: SuSE Security Announcement: shlibs/glibc (SuSE-SA:2001:01)) Solar Designer (Jan 29)