Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerabilities in phpCOIN

From: "Jan G.B." <ro0ot.w00t () googlemail com>
Date: Fri, 9 Apr 2010 16:28:03 +0200
2010/4/9  <Valdis.Kletnieks () vt edu>:

On Fri, 09 Apr 2010 15:49:58 +0200, "Jan G.B." said:


And where's the point in reporting several projects that use a -say-
library which has a reported problem? (I mean, you've send quite the
same mail with a different software to bugtraq, today.)


A few years ago, a rather nasty vulnerability was found in the zlib
compression library.  We then saw a whole raft of advisories for things
that included the zlib libraries, because often the package shipped with
a private copy of zlib so patching the system zlib did *not* actually
fix the problem for the zlib-using package.

And quite frankly, if it's a very low-level package, the average system
admin may not even *realize* that his very important MobyFoo package that
he remembers uses something called FooBar (or at least he remembers MobyFoo
wanting FooBar when he installed it 3 years ago), and the year after that,
FooBar started using QuuxBaz, which (a) the sysadmin didn't even know was
installed on his box, and (b) has a security hole.

You think I'm kidding?  Even *after* some vigorous pruning, my Fedora laptop
has 1,782 RPMs installed - back around Red Hat 9 it was more like 600. Lotta
software bloat going on, and most sysadmins don't have the combo of time and
clue to fight it.  For instance, it's a losing battle to keep Bluetooth
software off this laptop, even though it doesn't *have* Bluetooth hardware,
because more and more packages link in Bluetooth "in case you have it".

And not one of those package developers understands the concept of a linker
"weak reference". Argh.



You're right.
But the target of these advisories seems to be to get as many visitors
as possible to that site and not to inform the developers (see dates).

Regards

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: