Re: Linux NIS security problem hole and fix

[root () iifeak swan ac uk (System Administrator)]

> I was told by someone that this hole is "well known" and has been discussed
> on the LINUX security list for a while now. A few people have emailed me
> telling me what it was too, so it is obvious that this is "known" about.

It was reported, noted and fix a long time ago.

> I am now even more a believer of full disclosure. We purchased a commercial
> version of LINUX just a little while ago, and the hole exists. How am
> I supposed to protect stuff if I don't even know about it?  Sigh....

Bugtraq and the linux-security mailing lists are probably the best resources.
We do also pass Linux bugs onto cert but while people like dfn-cert (germany)
actively log and issue info about such things US cert appears a total waste
of effort. I think every actual alert that linux-security finds also gets
onto bugtraq.

> CERT advised me of the above fix. They couldn't test the fix since they
> don't have a LINUX machine anywhere. Pretty incredible that no one at
> CERT runs a free Unix that can run on a 386 with 4 megs...

I'll have a word with a few people. Maybe a vendor will send them a free CD
if I point this out to them.

Alan