Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

From: Dave Sherohman <esper () sherohman org>
Date: Wed, 18 Feb 2004 10:55:06 -0600
On Wed, Feb 18, 2004 at 08:29:49AM -0500, gabriel rosenkoetter wrote:

Oh, give me a break. Some developer went, "Oh, hey, I'm not bounds
checking there. Okay, fix that," and the changes filtered out into
the release of IE. You don't release "security patches" except in
response to publication of a serious vulnerability, and especially
in response to a problem that's systemic. This is *a* buffer
overflow. Do we expect even Sun or Apple to tell us about every
buffer overflow they fix? Hell, do we expect Linux or NetBSD to do
so?


Funny that you should ask that on the same day that I (and this list)
have received no fewer than four notices from Debian that they've
released new versions of various kernel packages to fix *a* local
root hole caused by not checking a function's return value.

So, yes, I do expect my Linux distributor to tell me about every
buffer overflow they fix - and they do, either with mail from the
debian-security list or with Changelogs included in the packages.

-- 
The freedoms that we enjoy presently are the most important victories of the
White Hats over the past several millennia, and it is vitally important that
we don't give them up now, only because we are frightened.
  - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: