Re: Rxvt vulnerability

[Syzop <syz () dds nl>]

Wichert Akkerman wrote:
-- snip --

> > Status vendor : contacted two weeks ago but no response.
>
> I'm curious who you contacted; from what I can see you did not contact
> Debian but yet you explicitly mention that Debian is vulnerable and
> claim you contacted the vendor two weeks ago.

This isn't the first time something like that happends,
there's something seriously wrong with the debian security handling.
Just an example.. a few months ago there was a problem with mailx,
I mailed Debian because there was a discussion at vuln-dev about it
(and it didnt look like sb of Debian security was reading that list).
I didn't hear anything for a week, then I mailed again...
I quote:
"> Why is mailx still not fixed? It was reported almost a week ago.
 I couldn't reproduce it."
It would be nice if sb replied to me with that answer, because
mailx WAS vulnerable, 4 days later (after I re-explained how to
reproduce the bug) the new packages were available.

And this is not the first time (I can give you some other examples if you like)...
If you really want people to inform you before they release an exploit
you have to communicate more with the reporter-of-the-bug otherwise
you get situations like this where first a exploit is published and after a (few)
day(s) a patch.. while the reporter-of-bug was kind enough to inform you
and gave/wanted to give you the time to fix it.

Really, this is not an incident...

    Syzop.