> Well it is clearly the same person who made the September reports, I have nothing to do with the iDEFENSE/vade79 bug.
> which did not discuss nntp or command execution. Seems he didn't > bother to report his further findings to the list: it is not like > we were hard to find back in September. I reported the NULL dereferencing bug and not security-related buffer overflows (with data from configuration files like lynx.cfg) in public in September, as I saw them as bugs and not as security vulnerabilities. The NNTP bug in October was treated as a secret, with communication between the vendor and various distributors first, as I saw it as a vulnerability and as I and the others from the Debian Security Audit Project believe in responsible full disclosure. Perhaps I should have posted something here about the NNTP bug when it was made public on the 17th. // Ulf Harnhammar -- _______________________________________________ Surf the Web in a faster, safer and easier way: Download Opera 8 at http://www.opera.com Powered by Outblaze _______________________________________________ Lynx-dev mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/lynx-dev
