Bugtraq mailing list archives
Re: Fwd: Any user can panic OpenBSD machine
From: david () WWW FUNDY CA (David Maxwell)
Date: Tue, 28 Jul 1998 09:45:06 -0300
On Mon, Jul 27, 1998 at 09:25:39PM -0400, Angelos D. Keromytis wrote:
In message <19980727180938.41315 () dimensional com>, Michael Fuhr writes:disclosure, isn't it? I for one was appalled at the simplicity of the exploit in what's claimed to be one of the most secure operating systems around, especially since it doesn't appear to be a problem with the other BSDs.While I'll agree that this is a very lame bug (in the sense that it shouldn't exist), one can hardly call it an exploit. It causes a machine to crash, but we already know how to do that in 32 different ways (and just as easy -- they don't even require a compiled program) once you can login (and for some OSes, even without logging in :-) I don't know why the person who complained did so, but I think he was unjustified. You were right to point that this is a full disclosure list. - -Angelos PS. The bug was fixed about 1 hour ago.
Sigh. Yes, this is a full disclosure list, but without starting the whole discussion again - it has been mentioned before that one ought to give a vendor a reasonable opportunity to respond to any issues before posting them here. People have given companies like Microsoft (whom I'm no fan of) a week to respond to more serious issues than this, as long as the vendor is being responsive and responsible. The OpenBSD PR was ticketed about 24 hours before your reply stating that it had been fixed - would 24 hours have been an unreasonable delay - considering that OpenBSD's group was aware of the problem (hence the PR), considered it 'serious', 'high'-priority, and 'critical', and marked it as confidential 'yes'? To the earlier response regarding the fact that this was posted to an OpenBSD list I say this: I doubt that many hackers monitor the OpenBSD lists in hopes of picking up bugs, while I'm sure many do monitor Bugtraq. All public forums are not equivalent - I do not feel distribution in one automatically merits distribution in any other without consideration. David Maxwell BTW: I don't even run an OpenBSD box, this just felt like a bit of hit-and-run to me.
Current thread:
- Re: Fwd: Any user can panic OpenBSD machine, (continued)
- Re: Fwd: Any user can panic OpenBSD machine Angelos D. Keromytis (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Alfred Huger (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
- CERT Vendor-Initiated Bulletin VB-98.07 - OpenVMS.LOGINOUT (fwd) Phillip R. Jaenke (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Timothy J Luoma (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine David Maxwell (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Kragen (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Cy Schubert (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Peter W (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Kragen (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Michael Jennings (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Michael Jennings (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Michael Jennings (Jul 28)