Full Disclosure mailing list archives
Re: FreeRADIUS 0.9.2 "Tunnel-Password" attribute handling vulnerability
From: Ron DuFresne <dufresne () winternet com>
Date: Thu, 27 Nov 2003 22:43:12 -0600 (CST)
David, Thanks for the clarifications. I did indeed have some of the sequence of events out of focus. It sounds as though all sides are covered, and risk of future episodes have been migitaged, all for the better good. Thanks, Ron DuFresne On Thu, 27 Nov 2003, David Maxwell wrote:
On Tue, Nov 25, 2003 at 04:19:02PM -0600, Ron DuFresne wrote:"S-Quadra Security Research" posted a vulnerability earlier today about FreeRADIUS which is (to be polite) not entirely correct.since the freeradius folks Actually you yourself?> responded yesterday to this, isn't your claim here a tad misleading? Afterall, their announcment is posted and dated today, friday, not thursday when the first reference and the patch was announced;You seem to be referring to the date the announcement was posted to Full Disclosure. Alan is referring to the date the announcement was posted to the public Free Radius mailing list.Of course a mail alias on your end to direct bugs, or bugreports, or something perhaps a tad more clear for addressing such issues could wellI agree - I'll encourage Alan to add such information to the webpages. [...]I think some level of credit should be given that an attempt was made.[...]folks tried, and perhaps only half-heartedly to notify others of the issue prior to going public, and the information made it to the proper end channel and was addressed. No real harm done, thill the responses started to flow from the freeraduis crowd that seems to feel *insulted* that a flaw was discovered in their code. Big deal, flaws happen, and ifAlan is unlikely to refuse to address any future issue, or refuse to work with anyone who contacts the developers with a security issue - any such behaviour would be irresponsible for a project leader.So, you decided to not work with the researcher, made your bed, and now have to lay in it, bummer, might want to rethink that stratedgy in the future. If the developers/maintainers decide to not work with the researchers/discoverers of bugs, then well, bummer, dance to the music.You don't seem to have the sequence of events straight - First, the researcher published the vulnerability to the public FR list. At that point, there was no reason to do anything other than patch ASAP, as users were now exposed with no available resolution. What point is there in coordinating an announcement of an already published vulnerability? However, Alan provided a vendor statement to the researcher - who then did not include it in his post to other security lists. Don't confuse Alan's lack of desire to 'coordinate' on an already public vulnerability with a lack of desire to cooperate with this researcher, or any others in the future. -- David Maxwell, david () vex net|david () maxwell net --> If you don't spend energy getting what you want, You'll have to spend it dealing with what you get. - Unknown
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- FreeRADIUS 0.9.2 "Tunnel-Password" attribute handling vulnerability S-Quadra Security Research (Nov 21)
- Re: FreeRADIUS 0.9.2 "Tunnel-Password" attribute handling vulnerability David Maxwell (Nov 21)
- Re: FreeRADIUS 0.9.2 "Tunnel-Password" attribute handling vulnerability Ron DuFresne (Nov 25)
- Re: FreeRADIUS 0.9.2 "Tunnel-Password" attribute handling vulnerability David Maxwell (Nov 27)
- Re: FreeRADIUS 0.9.2 "Tunnel-Password" attribute handling vulnerability David Maxwell (Nov 27)
- Re: FreeRADIUS 0.9.2 "Tunnel-Password" attribute handling vulnerability Ron DuFresne (Nov 27)
- Re: FreeRADIUS 0.9.2 "Tunnel-Password" attribute handling vulnerability Ron DuFresne (Nov 25)
- Re: FreeRADIUS 0.9.2 "Tunnel-Password" attribute handling vulnerability David Maxwell (Nov 21)