I agree with this. However, in the Snosoft case the facts has been smeared by
all the different stories going around. I will not get into it in detail but
we have been working with HP on this for 4+ months, bending over backwards
for them to keep everything out of the eyes of the public.
-BEGIN PGP SIGNED MESSAGE-
=
FreeBSD-SA-02:34.rpcSecurity Advisory
The FreeBSD Project
Topic: Sun RPC
Riad, et al,
You are ignoring a major difference between the software industry and
most other industries. The following applies to the US and most
jurisdictions.
The software vendor is selling you a license to use their product, not
the product itself. Their license requires you to agree to
As much as it pains me to say this, I feel I must (for sake of argument).
There is an assumed risk in using any product. The different analogies that
people are coming up with are ludicrous. Given the current political and
prejudice* situations, litigation in the courts is not the way to
A line in the post from Riad S. Wahby bothered me.
Who is responsible, Ford or Consumer Reports?
This is a false dichotomy where we have to choose between the only two
options presented. Neither should be sued however - this is why America is
so litigious. The REAL person to blame and at fault
From
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security
- Forwarded message from Edwin Groothuis [EMAIL PROTECTED] -
Date: Thu, 1 Aug 2002 16:55:51 +1000
From: Edwin Groothuis [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: openssh-3.4p1.tar.gz trojaned
[ i am not subscribed to bugtraq ..
so if you reply please include me in the cc]
i did an analysis on the trojan horse that was hidden
in the recent portable version of openssh (3.4p1)
it could be found(and still can be) on ftp.openbsd.org
and his mirrors.
in openssh-3.4p1/openbsd-compat a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 139-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
August 1st, 2002
-
OpenSSH Security Advisory (adv.trojan)
1. Systems affected:
OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
OpenBSD ftp server and potentially propagated via the normal mirroring
process to other ftp servers. The code was inserted some time between
the 30th and 31th of July.
In-Reply-To: [EMAIL PROTECTED]
**
Lucent Technologies
Internet Security Products
July 25, 2002
*** Advisory Notification Response ***
SUMMARY
This statement is in response to an advisory authored by individuals identifying
themselves as
kim0
-BEGIN PGP SIGNED MESSAGE-
__
SuSE Security Announcement
Package:wwwoffle
Announcement-ID:SuSE-SA:2002:029
Date:
IMHO the threats against Snosoft are FUD, even more FUD than the Sklyarov FUD. I
personally don't expect any court.
What scares me is that the Responsible Disclosure FUD continues.
On bugtraq people write that CERT and SecurtyFocus are established parties and
everyone who does not give them
-BEGIN PGP SIGNED MESSAGE-
=
FreeBSD-SA-02:34.rpcSecurity Advisory
The FreeBSD Project
Topic: Sun RPC
Developers, admins and security specialists alike meet to discuss the current
state of computer security and the need for change.
http://www.hivercon.com/ -- Dublin, Ireland will be the venue for this year's
HiverCon. With a rich line-up of high-end technical talks, guests will be
given the
Today Ipswitch released IMail Version 7.12 which solve the buffer
overflow bug in the Web Messaging Daemon.
IMail Version 7.12 Relase Notes:
http://support.ipswitch.com/kb/IM-20020731-DM02.htm
Download:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail712.exe
--
Tom Fischer
Hello,
my first post to the list. Cool.. :)
Sorry for the horrible formatting: this was posted in haste using
Netscape's
Mail client :(
Anyways, we did some research here at Oulu regarding the propagation of
the
trojaned OpenSSH-3.4p1.tar.gz, and found out the following:
Trojaned mirrors:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 140-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
August 1st, 2002
-
In light of the fact that 2600 was successfully sued over merely linking to
DeCSS source code under the DMCA (and losing a subsequent appeal), and
especially since News.com mentioned that fact in their article, I'm
absolutely AMAZED that they would do just that, linking directly to exploit
code
FYI
-Original Message-
Subject: Windows 2000 Service Pack 3 now available.
Microsoft has just release its final version of Service Pack 3. A list of
fixes incorporated into SP3 can be found at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320853
Service Pack 3 (128 mg)
Ben Laurie [EMAIL PROTECTED] writes:
OpenSSL Security Advisory [30 July 2002]
This advisory consists of two independent advisories, merged, and is
an official OpenSSL advisory.
I've done some work on running SSL/TLS code as a separate process in a
chroot jail as an unprivileged user,
Be sure to read the new EULA/privacy statement for Windows update, it has an
interesting portion about how Windows Update and Automatic Update (which
gets installed with SP3) can, by agreeing to this license, send the
following pieces of info to Microsoft, this was posted on the MS focus list
by
All,
A formal response to the DMCA threat from HP has been posted to our web
site. The URL is http://www.snosoft.com/fr.html.
Sincerely,
Adriel T Desautels.
Founder, Secure Network Operations, Inc.
Phone: 978-897-0974
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Problem:
Trillian's irc modules suffers from a buffer overflow. This allows an attacker to
execute code of their choice. I have attempted to contact the trillian developers
about this issue with no success.
John C. Hennessy
Information
The FreeBSD patch says:
c = *sizep;
- if ((c maxsize) (xdrs-x_op != XDR_FREE)) {
+ if ((c maxsize UINT_MAX/elsize c)
+ (xdrs-x_op != XDR_FREE)) {
return (FALSE);
}
Is this fix correct? Previously, xdr_array would return false if
Figured this would be of importance to bugtraq.
Begin forwarded message:
Date: Wed, 31 Jul 2002 13:11:28 -0700 (PDT)
From: Slackware Security Team [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [slackware-security] Security updates for Slackware 8.1
From: Slackware Security Team
In some mail from Colin Stefani, sie said:
Be sure to read the new EULA/privacy statement for Windows update, it has an
interesting portion about how Windows Update and Automatic Update (which
gets installed with SP3) can, by agreeing to this license, send the
following pieces of info to
I've been looking at them for years, and so has FX, both of us will be
giving talks at DEFCON this year (and no, unlike Gobbles, I'll be paying
my own way this year and don't need anyone elses' help.) Epson is
terrible at dealing with vulnerabilities in their systems, and so are
the others.
DynaWeb httpd Format String and AnswerBook 2
Unauthenticated Admin Script Execution Vulnerabilities
Release Date: August 1, 2002
Application:Solaris ab2 1.4.2 / dwhttpd 4.1a6
The vendors listed in the CERT advisory on the OpenSSL vulnerabilities are
all producing server-side software:
http://www.cert.org/advisories/CA-2002-23.html
Does anyone know if Netscape, Opera, Internet Explorer or any of the other
browsers are vulnerable to these issues?
Thanks in advance --
I just installed servicepack 3 and the following code still crashed my my
IE6 with a memory could not be refferenced error.
OBJECT ID=hhctrl TYPE=application/x-oleobject
CLASSID=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
PARAM name=Command value=Shortcut
PARAM name=Button
GOBBLES discovered a truly dumb bug in super. My thanks to him
for that. Zero thanks to him for not bothering to notify the
author before publishing. Zero thanks to him for the gratuitous insults.
Thanks to Martin Schulze and Robert Luberda of debian.org for
informing me and sending along a
Colin Stefani [EMAIL PROTECTED] wrote:
Be sure to read the new EULA/privacy statement for Windows update, it has an
interesting portion about how Windows Update and Automatic Update (which
gets installed with SP3) can, by agreeing to this license, send the
following pieces of info to
32 matches
Mail list logo
