From owner-freebsd-security Fri May 17 05:18:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id FAA12529 for security-outgoing; Fri, 17 May 1996 05:18:05 -0700 (PDT) Received: from onyx.auscert.org.au (onyx0.auscert.org.au [203.5.112.10]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id FAA12524 for ; Fri, 17 May 1996 05:18:02 -0700 (PDT) Received: from amethyst.auscert.org.au (amethyst.auscert.org.au [203.5.112.218]) by onyx.auscert.org.au (8.7.5/8.7.1) with ESMTP id WAA05141; Fri, 17 May 1996 22:18:00 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by amethyst.auscert.org.au (8.7.5/8.7.2) with SMTP id WAA11280; Fri, 17 May 1996 22:17:58 +1000 (EST) Message-Id: <199605171217.WAA11280@amethyst.auscert.org.au> X-Authentication-Warning: amethyst.auscert.org.au: Host localhost [127.0.0.1] didn't use HELO protocol To: Vladimir Jojic cc: freebsd-security@freebsd.org Subject: Re: very bad In-reply-to: Your message of "Fri, 17 May 1996 12:09:30 +0200." <199605171009.MAA00475@EUnet.yu> Date: Fri, 17 May 1996 22:17:57 +1000 From: Danny Smith Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Vladimir Jojic writes: > What IS very bad about this whole thing, isn't existance of this bug, > as much as how easliy information about it can be obtained. Even if > you do send patch along with info, there is still danger that someone, > gets up earlier than root, and then ... (sweat dreams, root!) > > You know though, for ones this bad I'd really rather you sent the > > message to security-officer@freebsd.org rather than freebsd-security > > in the future. There are easily over 1000 people on this list and you > > just announced a cookbook method for any shell account user to go root > > on a FreeBSD based ISP box; hardly the kind of information one would > > want to see widely circulated without a prepared fix, at the > > least. :-( Another unfortunate part is that it is approaching midnight in Australia (and it is now past midnight in New Zealand) at the start of the weekend. Posting vulnerbility information like this has not helped any system administrators if they are all home for the weekend. All it has done is increase the exposure of their systems to attack by more poeple. I personally don't think that is helping anyone at all. Danny Smith. ========================================================================== Danny Smith | Fax: +61 7 3365 4477 AUSCERT | Phone: +61 7 3365 4417 c/- Prentice Centre | (answered during business hours) The University of Queensland | (on call after hours for emergencies) Qld. 4072. Australia | Internet: auscert@auscert.org.au Standard Disclaimer: My opinions do not neceseaarily reflect the policy of AUSCERT or The University of Queensland.