On Mon, Jan 29, 2001 at 03:17:17PM -0500, Matt Zimmerman wrote:
On Sat, Jan 27, 2001 at 05:55:25AM +0300, Solar Designer wrote:
The glibc 2.2 RESOLV_HOST_CONF bug which prompted this search for bugs was
reported to Debian by Dale Thatcher but apparently wasn't kept private. The
remaining bugs were discovered and dealt with within two days following the
RESOLV_HOST_CONF bug report. As this bug got public, vendors were forced to
not coordinate the release of updated glibc packages.
It sounds like you're implying that Debian was responsible for publicizing this
bug.
Of course not, but I should have been more explicit about that as
some people definitely read it this way. Sorry for that, :-( and
thanks for your detailed explanation.
This bug was first discussed (this time around) on VULN-DEV, starting
here:
http://archives.neohapsis.com/archives/vuln-dev/2001-q1/0024.html
(dated Sat, 6 Jan 2001 17:23:35 -0500)
Dale Thatcher posted to vuln-dev about the vulnerability in a message dated
"Mon Jan 08 2001 - 10:30:01 CST", which specifically revealed that unstable
Debian was vulnerable.
The bug was reported to Debian by thomas lakofski [EMAIL PROTECTED] to
[EMAIL PROTECTED] and [EMAIL PROTECTED] in a message dated
"Mon, 8 Jan 2001 13:34:52 + (GMT)"
(http://lists.debian.org/debian-security-0101/msg00011.html). Note that
debian-security is a public, archived mailing list, like vuln-dev.
In response to this (public) discussion of the vulnerability, I opened a bug
(http://bugs.debian.org/81587) against the libc6 package (Mon, 8 Jan 2001
10:27:54 -0500) to bring the problem to the attention of the maintainer. Fixed
packages were installed into the archive Thu, 11 Jan 2001 14:57:09 -0500. By
this time, this vulnerability was clearly already public and being actively
explored (and probably exploited).
--
/sd