At 9:30 AM 4/29/94 -0400, der Mouse wrote: >In many cases, the bugs come from the original BSD (or sometimes V7) >code, and knowing this is valuable to those who are working with a >non-vendor version derived from that same code. But CERT never says >anything like this; all they ever seem to say is "<foo> is a security >hole. The following vendors have patched versions available, here's >where to get them.", which is useless in helping people with other >vendor versions, or people with non-vendor versions, decide whether >they are at risk. I totally agree. Reading CERTS often leave me with a question as to what the bug is (ex: There is a problem with rdist. Do not allow any users to access it. ) or where it showed up in the source. Maybe the bug has been in BSD since net/1 and therefore many vendors are affected. Maybe it popped up in DEC messing with Ultrix and therefore is a DEC-only problem. I like the way 8lgm released their information. It told you how to reproduce it to see if you're affected, and gave which systems it affected. If they weren't certain, they'd tell you. ("might affect all BSD-based program X's"). Disclosure is the key - how can you know if the bug affects you if your system is not listed as affected unless it is listed as definitely _not_ affected. If you can try out the methods used to re-create the bug, you can see if your system is affected. You also can figure out the best way to secure your system - you might panic and totally remove access to a program, but you could _fix_ it because you know what to look for- anyone can get the code to autoreply from the elm package, then you can patch it before a new version is put out by the maintainers. The "next_to_last" sendmail hole (bouncing mail through pipes, not debug) has existed through many versions of sendmail, and people have known about it for a long time. It ended up that someone posted a "how-to" to usenet (actually a couple people posted how-tos) and then people were able to figure out ways to fix the hole, or work-arounds. Sendmail was updated very quickly. Imagine if the parties with the knowledge didn't publicise it. We'd all still have that insecurity (not to say that sendmail is `secure' now... ) ... Bah. Well, anyway this almost looks like a pro-disclosure manifesto. I've had a long night, flames to /dev/null. (mail from:|/bin/cat >/dev/null) cc