Full Disclosure mailing list archives
Re: Vulnerabilities in phpCOIN
From: "Jan G.B." <ro0ot.w00t () googlemail com>
Date: Fri, 9 Apr 2010 16:28:03 +0200
2010/4/9 <Valdis.Kletnieks () vt edu>:
On Fri, 09 Apr 2010 15:49:58 +0200, "Jan G.B." said:And where's the point in reporting several projects that use a -say- library which has a reported problem? (I mean, you've send quite the same mail with a different software to bugtraq, today.)A few years ago, a rather nasty vulnerability was found in the zlib compression library. We then saw a whole raft of advisories for things that included the zlib libraries, because often the package shipped with a private copy of zlib so patching the system zlib did *not* actually fix the problem for the zlib-using package. And quite frankly, if it's a very low-level package, the average system admin may not even *realize* that his very important MobyFoo package that he remembers uses something called FooBar (or at least he remembers MobyFoo wanting FooBar when he installed it 3 years ago), and the year after that, FooBar started using QuuxBaz, which (a) the sysadmin didn't even know was installed on his box, and (b) has a security hole. You think I'm kidding? Even *after* some vigorous pruning, my Fedora laptop has 1,782 RPMs installed - back around Red Hat 9 it was more like 600. Lotta software bloat going on, and most sysadmins don't have the combo of time and clue to fight it. For instance, it's a losing battle to keep Bluetooth software off this laptop, even though it doesn't *have* Bluetooth hardware, because more and more packages link in Bluetooth "in case you have it". And not one of those package developers understands the concept of a linker "weak reference". Argh.
You're right. But the target of these advisories seems to be to get as many visitors as possible to that site and not to inform the developers (see dates). Regards _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerabilities in phpCOIN MustLive (Apr 09)
- Re: Vulnerabilities in phpCOIN Jan G.B. (Apr 09)
- Re: Vulnerabilities in phpCOIN Valdis . Kletnieks (Apr 09)
- Re: Vulnerabilities in phpCOIN Jan G.B. (Apr 09)
- Re: Vulnerabilities in phpCOIN Christian Sciberras (Apr 09)
- Re: Vulnerabilities in phpCOIN MustLive (Apr 15)
- Re: Vulnerabilities in phpCOIN Benji (Apr 15)
- Re: Vulnerabilities in phpCOIN Valdis . Kletnieks (Apr 09)
- <Possible follow-ups>
- Re: Vulnerabilities in phpCOIN Jeff Kell (Apr 09)
- Re: Vulnerabilities in phpCOIN Jan G.B. (Apr 09)