lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0702141858190.5728-100000@linuxbox.org>
Date: Wed, 14 Feb 2007 19:02:29 -0600 (CST)
From: Gadi Evron <ge@...uxbox.org>
To: Joep Vesseur <Joep.Vesseur@....COM>
Cc: bugtraq@...urityfocus.com
Subject: Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability -
 how many on yournetwork?

On Thu, 15 Feb 2007, Joep Vesseur wrote:
> Gadi,
> 
> > [...]
> > One note: although it could just as well be a bug, who says it was not a
> > backdoor in the early 90's?
>  >
> > Also, I understand this does not work on older Solaris/SunOS systems
> > (anyone can verify?) 
> 
> I can. It is not present in anything before Solaris 10.
> 
> > which adds to my personal interest in the
> > possibility. I refuse to believe someone is that funny/sad.
> 
> Not sure what you mean here... You don't believe this is a (very
> unfortunate) accident?
> 
>  From where I stand (pretty close to the fire) this is pretty much
> what it looks like (an extended multi-file, multi-entrance-point
> change with unforseen and unnoticed interdependencies).

This needs to be further discussed, as your response here has been
awe-striking.

The remote possibility was raised, and for several reasons:
1. It just didn't seem to be possible such a vulnerability would exist,
yet it does.
2. It was a remote one (not raised by me, btw) which I wanted answers for
rather than let it die under the usual flames.
3. It was raised, we needed to discuss it.

Sun has been completely visible and did full-disclosure on the
vulnerability, how it got there, etc. I have to tip my hat to you and
thank you for your help with this.

I believe the entire industry should thank you, and follow your lead.

This is the first case where I have seen a vendor respond in such
fashion. It is to be commended yet again. You have proven what being open
with the community can achieve.

This is a serious F up on the side of Sun. Everyone makes mistakes
and incidents will happen no matter what. What matters here is how you
responded to the incident when it did happen.

	Gadi.

> 
> Joep
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ