On Mon, Jan 29, 2001 at 03:17:17PM -0500, Matt Zimmerman wrote:
> On Sat, Jan 27, 2001 at 05:55:25AM +0300, Solar Designer wrote:
> > The glibc 2.2 RESOLV_HOST_CONF bug which prompted this search for bugs was
> > reported to Debian by Dale Thatcher but apparently wasn't kept private. The
> > remaining bugs were discovered and dealt with within two days following the
> > RESOLV_HOST_CONF bug report. As this bug got public, vendors were forced to
> > not coordinate the release of updated glibc packages.
>
> It sounds like you're implying that Debian was responsible for publicizing this
> bug.
Of course not, but I should have been more explicit about that as
some people definitely read it this way. Sorry for that, :-( and
thanks for your detailed explanation.
> This bug was first discussed (this time around) on VULN-DEV, starting
> here:
>
> http://archives.neohapsis.com/archives/vuln-dev/2001-q1/0024.html
> (dated Sat, 6 Jan 2001 17:23:35 -0500)
>
> Dale Thatcher posted to vuln-dev about the vulnerability in a message dated
> "Mon Jan 08 2001 - 10:30:01 CST", which specifically revealed that unstable
> Debian was vulnerable.
>
> The bug was reported to Debian by thomas lakofski <[EMAIL PROTECTED]> to
> [EMAIL PROTECTED] and [EMAIL PROTECTED] in a message dated
> "Mon, 8 Jan 2001 13:34:52 +0000 (GMT)"
> (http://lists.debian.org/debian-security-0101/msg00011.html). Note that
> debian-security is a public, archived mailing list, like vuln-dev.
>
> In response to this (public) discussion of the vulnerability, I opened a bug
> (http://bugs.debian.org/81587) against the libc6 package (Mon, 8 Jan 2001
> 10:27:54 -0500) to bring the problem to the attention of the maintainer. Fixed
> packages were installed into the archive Thu, 11 Jan 2001 14:57:09 -0500. By
> this time, this vulnerability was clearly already public and being actively
> explored (and probably exploited).
--
/sd
