Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!newsxfer3.itd.umich.edu!newsxfer2.itd.umich.edu!agate!theos.com!deraadt From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.unix.bsd.bsdi.misc Subject: Re: BSDI: New official patch for BSD/OS 2.1 (U210-032 -- SECURITY) Followup-To: comp.unix.bsd.bsdi.misc Date: 05 Jan 1997 07:35:50 GMT Organization: Theo Ports Kernels For Fun And Profit Lines: 70 Message-ID: <DERAADT.97Jan5003550@zeus.theos.com> References: <5a15es$bnt@omega.metrics.com> NNTP-Posting-Host: zeus.theos.com In-reply-to: polk@BSDI.COM's message of 27 Dec 1996 13:44:44 -0500 Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:5509 In article <5a15es$bnt@omega.metrics.com> polk@BSDI.COM (Jeff Polk) writes: There is a new security patch (U210-032) which fixes problems in the /etc/security and /etc/daily.local scripts. Sorry for the announcement immediately before the holidays, but since information on this problem was posted to bsdi-users, bugtraq, and potentially other forums, it seemed that the exploitation information was already widely available. BSDI always appreciates being advised of security problems before they are announced to the world. If you discover a security related problem with the system, please give us a day or two to address it before publishing it widely. Yeah, a number of people got flamed by BSDI employees over this advisory being posted to bugtraq. But the record is clear that BSDI was alerted about these problems _well_ in advance. Like around October 28 and November 29. BSDI has also been told to look at OpenBSD for other security fixes too. First of all it was quite a surprise to be flamed privately about the advisory going to bugtraq (Heck, I didn't even post it ;-). But moreso, this BSDI advisory smells like slander to those people who found and fixed the problem. (David for finding these problems, Todd Miller who provided substantial help at squishing the numerous other similar /tmp races in the source tree, and myself for fixing just as many). The claim above, without mentioning any names, is that we suck 'cause we didn't tell you in advance. The truth is quite different. Mail archives make it quite clear. Also I note that this posting to bugtraq was surrounded by others discussing vendors and *CERT who are not giving credit to the finders of the bugs. Almost every person felt that the vendors and *CERT should give credit. Where's the credit in this posting? Recently LOTUS and SGI have giving credit in their advisories. For the record, the /etc/daily and /etc/security problems were found by David at secnet.com. Like basically all security problems these days, it was first reported on the bugtraq mailing list. Regarding the other BSDI security advisory, the cron/crontab problems were found by David and myself; and fixed in OpenBSD. The crontab maintainer was told about those in September or so but no fixes came out. Eventually it was time for the crontab problems to be reported on bugtraq. Hmm. Evidently BSDI has decided to credit AUSCERT instead. Quite simply AUSCERT does not deserve that much credit for ripping off a bugtraq advisory and simply re-packaging it! BSDI knew we had found those bugs. I'm sorry, BSDI, but this is not what security is about. When you annoy the people who find the bugs you are not going to get the advance warning you ask for (even though you have, and dropped the ball). Finally, October 28 is a lot more than a day or two before Christmas Day. Date: Mon, 28 Oct 1996 14:34:48 -0700 To: Keith Bostic <bostic@bsdi.com> From: "Todd C. Miller" <millert@xerxes.home.courtesan.com> Subject: /etc/security can be used to overwrite files as root --- Date: Fri, 29 Nov 1996 21:35:33 -0700 To: Keith Bostic <bostic@vangogh.cs.berkeley.edu> From: "Todd C. Miller" <millert@xerxes.home.courtesan.com> Subject: fyi: security hole in /etc/security ;-) [BSD/OS 2.1] -- This space not left unintentionally unblank. deraadt@theos.com www.OpenBSD.org -- We're fixing security problems so you can sleep at night.