8lgm folks, > This advisory has been sent to: > BUGTRAQ <bugtraq@fc.net> > [8lgm]-Advisory-12.UNIX.suid_exec.27-Jul-1991 > REPEAT BY: > Exploit details will not be made available at this time. > [8lgm]-Advisory-15.UNIX.mail3.28-Nov-1994 > REPEAT BY: > Exploit details will not be available. > [8lgm]-Advisory-11.UNIX.sadc.07-Jan-1992 > REPEAT BY: > Exploit details will not be made available, until patches have > been provided. I'm disappointed to see you dropping the disclosure attitude - for example, I run a NetBSD system that for all I know may be vulnerable to the mail attack, but your "advisory" is utterly useless to me because you don't explain enough for me to test for it. But that's not the main point of my letter. The main point is: bugtraq is a full-disclosure list. If you've fallen victim to the delusion that everyone is running vendor software from a vendor that (still exists and) is responsible about issuing security patches, that's your choice - but in that case, bugtraq is not an appropriate place to send your stuff. And if this keeps up, I'm going to have to ask to be removed from your list; "advisories" that don't tell me anything but "there is a bug" are of so little value that the mailbox clutter factor outweighs it. One of "my" systems is running NetBSD, which has no "vendor", and the other is a NeXT running a good deal of non-vendor software. Without a way to test for the presence of holes, such things are of no use at all to me. der Mouse mouse@collatz.mcrcim.mcgill.edu