Re: Security information for dollars?

2001-02-02 Thread Michael Bryan
Ben Greenbaum wrote: As I expected, there has been a flood of responses to the news about ISC's plan for a bind-members program. Rather than approve each, I have summarized many of them here. Personally, from what I'm seeing in these responses, a lot of people are jumping to conclusions, and

Re: kyxspam: isc loses mind

2001-02-02 Thread Paul A Vixie
Sorry for the strong words, but the ISC is fucked up, apparently. But I should have guessed that when I first (tried to) read the later versions of bind source (with apologies to Bill Norton the original project manager for that development). I just had to be slapped in the face with it

Re: Fw: kyxspam: isc loses mind

2001-02-02 Thread James F. Hranicky
When I first saw this, I thought the same as most others. However, it's possible that this approach may have merit. If I found a hole and could update the root servers before disclosure, I'd certainly do it. The more people you can inform without tipping off the black hats, the better. I guess

Immunix 6.2 OS Security update for glibc (revised)

2001-02-02 Thread Greg KH
--- Immunix OS Security Advisory Packages updated: glibc Effected products: Immunix OS 6.2 Bugs Fixed: immunix/1322 Date: February 1, 2001 Advisory ID:

Re: Bind 8 Exploit - Trojan

2001-02-02 Thread Talisker
How did this get approved, did anyone test it or review it? Didn't you? - I'd rather see the information despatched to us quickly and treat it with caution, than have delays introduced whilst the code is rigorously tested. The moderators already have a lot on their plate without dumping this

Re: Security information for dollars?

2001-02-02 Thread C. Cooke
On Wed, 31 Jan 2001, Theo de Raadt wrote: What does the community think of this change in direction? (Myself, I think it is a terrible idea to charge money for security information access, and that closing BIND up like this is also going to be harmful) Ok, just some comments that I haven't

Re: Security information for dollars?

2001-02-02 Thread Drew Whittle
It would be interesting to see how many of the bugs in BIND have been found by Whitehats and how many have been found by Blackhats. Any bug that has been found by a Blackhat should be made public instantly, because by the time Whitehats find out about the bug, it is already being used. IMHO,

Re: String vun. in m4 macro processor (same as in man)

2001-02-02 Thread Daniel Jacobowitz
On Thu, Feb 01, 2001 at 02:20:20PM +0100, Tomasz Kuzniar wrote: Hi, bug same as provious in man on debian (suse also?). Just look: mezon@beata$ m4 -G %x%x%x%x m4: 40012a48380491e00: No such file or directory mezon@beata$ or mezon@beata$ m4 -G %p m4: 0x40012a48: No such file or

Re: kyxspam: isc loses mind

2001-02-02 Thread Darren Coleman
Someone, please, tell me there is an another alternative - because with the direction it's headed now, the Internet based on bind isn't looking like it's going to be a very good, reliable, or secure, network. regrets, --dr We've all managed to survive using BIND for the past x years - I

Re: Security information for dollars?

2001-02-02 Thread Cooper
Jim Reid wrote: One - just ONE - of the features suggested - only suggested - for the BIND Members Forum (BMF) is that members get advance warning of security problems. This is not unreasonable given that members are likely to be folks running root, gTLD and ccTLD name servers or vendors

Paul Vixie interview and vendor responses

2001-02-02 Thread Kurt Seifried
Hola all, Interviewed Paul Vixie to clear some things up, and asked several people about this (some vendors/etc.), the responses are interesting to say the least. By Kurt Seifried ([EMAIL PROTECTED]) for www.SecurityPortal.com February 01, 2001 - ISC's Bind has become the de facto standard for

Re: kyxspam: isc loses mind

2001-02-02 Thread Dragos Ruiu
On Thu, 01 Feb 2001, Darren Coleman wrote: We've all managed to survive using BIND for the past x years - I don't see what has radically changed overnight. It's taken as given nowadays that large, complex systems/software contain bugs, exploits, overflows.. etc etc. The fact that "the

Re: SuSe / Debian man package format string vulnerability

2001-02-02 Thread Tomasz Kuniar
On Wed, Jan 31, 2001 at 02:22:01PM -, Joao Gouveia wrote: : The man package that ships with SuSe Linux ( at least versions 6.1 throught : 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is : confirmed to have the same problem. : : quote : jroberto@spike:~ man -l

GoAhead Web Server Directory Traversal Vulnerability

2001-02-02 Thread Sergey Nenashev
Hello! We have found a bug in the GoAhead WebServer, v.2.0 and v.2.1. Attacker can get any file from the drive, where web-server was installed. try follow request http://www.somehost.com/..\..\..\..\..\..\autoexec.bat This vulnerability may allow an attacker to execute code with the

Re: Security information for dollars?

2001-02-02 Thread Jeffery L. Vogt
Michael Bryan wrote: I get the feeling people saw "members only" and "fee-based", and immediately assumed -everything- was changing. But it's not. In discussions with my colleagues, the concern isn't that "everything is changing"... the concern is the "slippery slope". - Arf, JT

Re: fingerprinting BIND 9.1.0

2001-02-02 Thread Cy Schubert - ITSD Open Systems Group
In message [EMAIL PROTECTED], Hendy * writes: On Wed, Jan 31, 2001 at 02:13:07PM -0500, Lucas Holt wrote: Hiding a version number does not someone who knows what they are doing, but it does stop script kiddies out there. If a 14 year old kid can not figure ou t what they are dealing

WebSphere - Minor CSS Issue.

2001-02-02 Thread twi252
Hi folks, Something i came across while testing some of our WebSphere installations (these have been fixed in the current versions of vanilla Apache, so i assume these are just an inherited problem from the old Apache codebase.. Makes you wonder what else there is? :^) ) Retreiving:

Re: String vun. in m4 macro processor (same as in man)

2001-02-02 Thread Manuel Martinez Herraiz
Hi, RedHat 6.1/6.2 also have this problem: REDHAT 6.2 [root@haendel mmh]# m4 -G %pm4: 0x401091ec: No existe el fichero o el directorio REDHAT 6.1 [root@mandanga mmh]# m4 -G %pm4: 0x4010548c: No existe el fichero o el directorio Manuel Martinez.

Re: Security information for dollars?

2001-02-02 Thread Shalon Wood
Cooper [EMAIL PROTECTED] writes: Now, could someone explain to me why a select list of individuals should get an earlier warning? I think this is the crux of the matter. Before you can say that this is a good idea, you first have to show that some people should get early notice. Quite

Re: Security information for dollars?

2001-02-02 Thread Kristofer Coward
1. Inform the BIND developers. They will privately handle the issue, create some sort of patch or update and then send out a notification so that people know they need to upgrade. A day or so later the exploit for the problem can go public and everybody's happy. This is probably the way

BIND, is it all that bad?

2001-02-02 Thread KuroiNeko
Hi all, Do we really need to be worried that much about ISC's decision to create a fee-based membership forum? I think that the major problem is with the wording Paul Vixie's `pre-announcement.' The line below is somewhat ambiguous to me: 2. Vendors who include BIND in their

Re: Security information for dollars?

2001-02-02 Thread Ryan Waldron
On Fri, 2 Feb 2001, Shalon Wood wrote: Cooper [EMAIL PROTECTED] writes: Now, could someone explain to me why a select list of individuals should get an earlier warning? I think this is the crux of the matter. Before you can say that this is a good idea, you first have to show that some

Re: Security information for dollars?

2001-02-02 Thread Patrick Lamb
Shalon Wood wrote: Cooper [EMAIL PROTECTED] writes: Now, could someone explain to me why a select list of individuals should get an earlier warning? I think this is the crux of the matter. Before you can say that this is a good idea, you first have to show that some people should get

Defending the (supposedly) indefensible...

2001-02-02 Thread Phil Scarr
On Fri, Feb 02, 2001 at 07:06:23AM -0600, Shalon Wood ([EMAIL PROTECTED]) was heard to have said: Cooper [EMAIL PROTECTED] writes: Now, could someone explain to me why a select list of individuals should get an earlier warning? I think this is the crux of the matter. Before you can say

Re: Security information for dollars?

2001-02-02 Thread Ryan Russell
On Fri, 2 Feb 2001, Shalon Wood wrote: So, my question to Paul and company is: Why *should* anyone other than critical infrastructure get that notice? I'm willing to be convinced; I just haven't seen an answer to this question yet. And note that 'They bitched and screamed because we didn't

Remote vulnerability in gnuserv/XEmacs

2001-02-02 Thread Klaus Frank
Jan Vroonhof writes: If you are using XEmacs we suggest upgrading to XEmacs 21.1.14 that contains this version (or 21.2.35 if you are running betas). Err.. that's 21.2.43 Klaus

Remote vulnerability in gnuserv/XEmacs

2001-02-02 Thread Jan Vroonhof
SUMMARY All currently available versions of gnuserv for unix prior to 3.12 are vulnerable to remote exploit due to a buffer overflow and weak security. Gnuserv is a remote control facility for Emacsen. Gnuserv ships with XEmacs but is also available stand-alone from various sources for use with

Netscape E.S. Web Publisher ACL Vulnerabilities

2001-02-02 Thread Charles Chear
Vendor: Netscape Product: Enterprise Server 3.5.1 (and others?) Specifics: Netscape Web Publisher Vulnerability Briefing: A very wide problem with ACL settings and default settings with Netscape Enterprise Server (Publisher). Description: With the default installation of Netscape Enterprise

Re: QNX RTP ftpd stack overflow

2001-02-02 Thread Kris Kennaway
On Fri, Feb 02, 2001 at 08:03:09PM +0100, Przemyslaw Frasunek wrote: BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are vulnerable to this attack. In case anyone is wondering how old is old: revision 1.5 date: 1996/11/20 22:12:50;

Re: QNX RTP ftpd stack overflow

2001-02-02 Thread Przemyslaw Frasunek
On Fri, Feb 02, 2001 at 03:04:31PM -0800, Kris Kennaway wrote: BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are vulnerable to this attack. In case anyone is wondering how old is old: The same problem persists in heimdal / kerberosIV ftpd implementation:

Re: kyxspam: isc loses mind

2001-02-02 Thread Jim Reid
"Dragos" == Dragos Ruiu [EMAIL PROTECTED] writes: Dragos Not only is it NOT solid according to past record So I suppose the 10-12,000 DNS queries that get answered every second by a.root-servers.net or the ~5,000/second that f.root-servers.net answers are handled by something that

Re: QNX RTP ftpd stack overflow

2001-02-02 Thread Ted U
tested on qnx rtp as released on jan. 18 from get.qnx.com. doesn't work. i tried significantly more a's and nothing happens. i get the normal repsonse from stat. /-\ / Ted Unangst - [EMAIL PROTECTED]