Path: utzoo!attcan!uunet!lll-winken!brutus.cs.uiuc.edu!usc!rutgers!orstcs!sapphire!pvo3366 From: pvo3366@sapphire.OCE.ORST.EDU (Paul O'Neill) Newsgroups: comp.unix.wizards Subject: Re: sendmail/ftpd security-holes raise their ugly heads again... Summary: secury bedtime story Message-ID: <12661@orstcs.CS.ORST.EDU> Date: 28 Sep 89 05:27:54 GMT References: <21@minya.UUCP> Sender: usenet@orstcs.CS.ORST.EDU Reply-To: pvo3366@sapphire.OCE.ORST.EDU (Paul O'Neill) Organization: Coastal Imaging Lab, Oregon State University, Corvallis, OR Lines: 51 In article <21@minya.UUCP> jc@minya.UUCP (John Chambers) writes: > >First, the ethical question. Should I tell anyone? ......... >..............................................We know from much >experience that most vendors have a history of not welcoming this >information. > ................... >Is this all a hopeless dream, or are we stuck with knowing there are problems >but that if we're smart, we'll keep quiet about them? > Of course tell someone -- the vendor. What "much experience"? Pure folklore. What follows is a true story and a picture-perfect example of how security holes should be handled. Can you say "mail to a pipe"? I thought so. Can you say "mail to a pipe without ``debug''"? Ah ha, choked on that one, didn't ya'? While working on a mail problem on a Sun 386i I discovered a bug in Sun's sendmail that allowed just this. Debug was turned off, yet mail to a pipe was possible. I told Sun about it. They figured out a fix *that night*. They had a tape with the fix on it at the next Berkeley Sun Local Users Group (SLUG) meeting within a week. They had the fix available for anonymous ftp on uunet.uu.net within a month. [Have you installed those things from ~ftp/sun-fixes yet? They're there for a reason, you know.] So -- now that the vendor has been told, the fix has been propogated and everyone has had time to install it, it's time to tell the security mailing list about it. To summarize: 1) tell the vendor 2) wait 3) tell the [resonably secure] world Discussion? Paul O'Neill pvo@oce.orst.edu Coastal Imaging Lab OSU--Oceanography Corvallis, OR 97331 503-754-3251