-BEGIN PGP SIGNED MESSAGE-
=
FreeBSD-SA-02:32.pppd Security Advisory
The FreeBSD Project
Topic:
-
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated mm packages fix temporary file handling
Advisory ID: RHSA-2002:153-07
Issue date:2002-07-24
Updated on:2002-07-30
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/*
* SAVE DEFCON..HELP GOBBLES..SAVE DEFCON..HELP GOBBLES
*
* When GOBBLES say he and he security team
* are non-profit. He really mean NON-profit.
* This means GOBBLES and he GOBBLES Security
* Labs (GSL) friends do not have much funds.
*
*
snip
Ferson also said that HP reserves
the right to sue SnoSoft and its members for monies
and damages caused by the posting and any use of the
buffer overflow exploit.
This raises a very interesting point. Bruce Schneier has stated
publicly that he believes vendors should be
Andrew Pimlott [EMAIL PROTECTED] wrote:
If he is smart, he will check whether the file is open (eg with fuser)
Not really. The file does not have to be open to be present in the system.
It is prefectly possible to leave a dangling root-owned file several
times,
Correct, but: the admin
to continue the it takes two to tango metaphor, i will say the following
(inline):
On Wed, 31 Jul 2002, Chris Paget wrote:
2) R attempts to contact V to reveal the bug.
3) V does not respond.
this is the fault of the vendor for not having a well known and publicized
contact point for
The Zardoz 'Security Digest' Archives
http://securitydigest.org
The Zardoz 'Security Digest' Archive is dedicated to the history of the
Zardoz 'Security Digest'. In time, the plan is to build a comprehensive
history of the digest. At the moment, there's a part of the archive to
-BEGIN PGP SIGNED MESSAGE-
__
SuSE Security Announcement
Package:mod_ssl, mm
Announcement-ID:SuSE-SA:2002:028
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --
PACKAGE : openssl
SUMMARY : Several vulnerabilities
-Original Message-
From: Matt Smith [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 31, 2002 11:59 AM
To: '[EMAIL PROTECTED]'
Subject: Parachat DoS Vulnerability
Parachat DoS Vulnerability Synopsis
Written by Matt Smith aka Ratman ([EMAIL PROTECTED])
Contributions by Amy Marie aka
Hi,
I just read the article at News.com
(http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
controversy between HP and Snosoft. It seems that HP is upset that
details of a dangerous security hole in the HP Tru64 operating system
were published by Phased, a security researcher
I agree fully, with what both of you have to say, and I have another
point to bring up. If companies like HP or Microsoft can put in their
license, terms which remove all liability of themselves for damage
caused security in their products or general defects, and this stands
up in court (and
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
__
Caldera International, Inc. Security Advisory
Subject:Linux: multiple vulnerabilities in openssl
Advisory
-BEGIN PGP SIGNED MESSAGE-
Internet Security Systems Security Brief
July 31, 2002
Remote Buffer Overflow Vulnerability in Sun RPC
Synopsis:
Internet Security Systems (ISS) X-Force has discovered a buffer overflow
in the xdr_array filter primitive. This function is a part of the Sun
Chris Paget [EMAIL PROTECTED] wrote:
Does V still have the right to sue R?
Let's put this a different way:
Ford makes a car that seems to sell pretty well. Unfortunately, it
has a fatal design flaw: if the car suffers a rear-end collision while
it's in third gear during a rainstorm at night
-BEGIN PGP SIGNED MESSAGE-
-
Debian Security Advisory DSA-138-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Wichert Akkerman
August 1, 2002
-
/* 2002-07-31#04:19
*
* HIJACKING KERNEL SYMBOLS AND FUNCTIONS USED TO LOAD BINARY FORMATS
* --
*
* With this module you can hide tasks to KSTAT, tool used to find
* attakers in your system by a direct analysis of the
Given the recent news about HP using DMCA to shutter a Bugtraq disclosure of
Tru64 vulnerability, I felt it appropriate to chime in. I hope you find my
comments of-value and worthy of relaying onto the list.
The News.Com story with more details is at :
There are some interesting issues being raised:
snip
1) Researcher R finds a security hole in vendor V's product.
2) R attempts to contact V to reveal the bug.
3) V does not respond.
4) R attempts communication several times over the next 90 days, but
never receives a response.
5) R
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At some point hitherto, Riad S. Wahby hath spake thusly:
Two weeks later, a story breaks in the national news that a psychopath
has taken it upon himself to rear-end all Ford cars on rainy moonlit
nights. So far, five people have died.
Who is
On Wed, 31 Jul 2002 11:15:27 -0400 (EDT), Greg A. Woods wrote:
[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]
Subject: Re: It takes two to tango
Does V still have the right to sue R?
Absolutely not. They were given more than fair notice.
According to the CNet
[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]
Subject: Re: It takes two to tango
Does V still have the right to sue R?
Absolutely not. They were given more than fair notice.
If vendors are made liable for
security holes, and those vendors have the right to sue
As much as corporate liability makes sense, I doubt it will ever come to
fruition. I think it will be near impossible to prove negligence. It
will be a matter on interpreting the raw code and showing that the
programmers intentionally cut corners. That won't be an easy thing to
prove.
Chris
Systems Affecteds:
All UniVerse versions with UV/ODBC
Explanation:
Trying to make an invalid query the client crashes and make the server slow
with 5sec to 2min lag what could crash the server.
Expoit:
Make a query accessing UV/ODBC (I've used CrystalReports all versions) and
make a
On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget [EMAIL PROTECTED] said:
CP snip
Ferson also said that HP reserves
the right to sue SnoSoft and its members for monies
and damages caused by the posting and any use of the
buffer overflow exploit.
CP This raises a very
On Wed, 2002-07-31 at 10:48, Jose Nazario wrote:
4) R attempts communication several times over the next 90 days, but
never receives a response.
if the researcher doesn't attempt to work with an established third party
(ie CERT, SecurityFocus) to get this contact made, they are acting
26 matches
Mail list logo