You seem to be inferring that it is a bad thing to silently
patch bugs which may have security implications. The OpenBSD
Full disclosure, we believe in it.
That's why OpenBSD and other projects publish the full source
code. That is full disclosure.
I wonder if the same network operators
On Sat, 25 Mar 2006, Gadi Evron wrote:
Brandon Butterworth wrote:
There are two exploit code samples I saw. There are two remote exploits
for one of them so far that are public that I know of.
Please provide reference URLs or the code, if not then stop spreading FUD.
No.
Talk to
On Sat, 25 Mar 2006, Gadi Evron wrote:
Brandon Butterworth wrote:
There are two exploit code samples I saw. There are two remote exploits
for one of them so far that are public that I know of.
Please provide reference URLs or the code, if not then stop spreading FUD.
No.
Talk to
Date: Thu, 23 Mar 2006 19:28:16 -0600 (CST)
From: Gadi Evron [EMAIL PROTECTED]
Subject: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS,
Memory Jumps, Integer Overflow)
[ ... ]
No offense Valdis, you know I both like you and consider you a
friend, but if you
On Sat, 2006-03-25 at 13:30 +0100, JP Velders wrote:
[..]
This isn't about processes, it's about something that has been around for
a while, many reply on and keeps *** up. Where it simply can't.
What world do you live in were everything is done perfect ? If you
don't like sendmail
Steven M. Bellovin wrote:
On Sat, 25 Mar 2006 04:39:11 +0200, Gadi Evron [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
Well, it *is* mostly a theoretical overflow - for it to work, a site would have
to:
Exploit is out there. How long did that take?
Is the exploit actually
There are two exploit code samples I saw. There are two remote exploits
for one of them so far that are public that I know of.
Please provide reference URLs or the code, if not then stop spreading FUD.
Bugs happen, deal with them and move on.
The endless whine is more annoying (as are 20
Brandon Butterworth wrote:
There are two exploit code samples I saw. There are two remote exploits
for one of them so far that are public that I know of.
Please provide reference URLs or the code, if not then stop spreading FUD.
No.
Talk to you after the first worm.
Brandon Butterworth wrote:
Please provide reference URLs or the code, if not then stop spreading FUD.
On Sat, 25 Mar 2006, Gadi Evron wrote:
No.
Talk to you after the first worm.
OK. We're holding you to your word there, Gadi.
[EMAIL PROTECTED]darwin
Moral indignation is a
Please provide reference URLs or the code, if not then stop spreading FUD.
No.
Talk to you after the first worm.
Don't bother, it's too late then
Anyone can claim to have had the 0day after the event.
brandon
On Sat, 25 Mar 2006, Gadi Evron wrote:
Brandon Butterworth wrote:
There are two exploit code samples I saw. There are two remote exploits
for one of them so far that are public that I know of.
Please provide reference URLs or the code, if not then stop spreading FUD.
No.
Talk to
On Sat, 25 Mar 2006 00:57:31 EST, Steven M. Bellovin said:
On Sat, 25 Mar 2006 04:39:11 +0200, Gadi Evron [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
Well, it *is* mostly a theoretical overflow - for it to work, a site woul
d have to:
Exploit is out there. How long did that
On Sat, 25 Mar 2006 18:00:41 +0200, Gadi Evron said:
There are two exploit code samples I saw. There are two remote exploits
for one of them so far that are public that I know of.
There's exploits for the race condition.
I was *specifically* talking about the integer overflow, which looks
I wonder how many other unreported silently-patched
vulnerabilities are out there?
You seem to be inferring that it is a bad thing to silently
patch bugs which may have security implications. The OpenBSD
team makes a habit of auditing software for flaws and fixing
them without waiting to find
[EMAIL PROTECTED] wrote:
I wonder how many other unreported silently-patched
vulnerabilities are out there?
You seem to be inferring that it is a bad thing to silently
patch bugs which may have security implications. The OpenBSD
Full disclosure, we believe in it.
team makes a habit of
On Sat, 25 Mar 2006 04:39:11 +0200, Gadi Evron [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
Well, it *is* mostly a theoretical overflow - for it to work, a site would
have to:
Exploit is out there. How long did that take?
Is the exploit actually effective in the wild? The
Tech details:
Sendmail vulnerabilities were released yesterday. No real public
announcements to speak of to the security community.
SecuriTeam released some data:
Improper timeout calculation, usage of memory jumps and integer
overflows allow attackers to perfom a race condition DoS on sendmail,
On Thu, 23 Mar 2006 03:41:52 CST, Gadi Evron said:
(I feel obligated to mention that there's 16 mentions of my name in the Sendmail
release notes, and zero of Gadi's. This of course influences my opinions and
commentary, and possibly Gadi's as well...)
ISS only reported the Race Condition
On March 23, 2006 01:41 am, Gadi Evron wrote:
Here's what ISS releasing the Race Condition vulnerability has to say:
http://xforce.iss.net/xforce/alerts/id/216
They say it's a remote code execution. They say it's a race condition. No
real data available to speak of. I can't see how it's
On Thu, 23 Mar 2006 [EMAIL PROTECTED] wrote:
Also, it would help if instead of FUD-mongering, you actually went to Claus
(or asked somebody else to) with *specific suggestions* of how to improve the
process. He may be stubborn about the way he does things, but if you include
specific
On Thu, 23 Mar 2006 03:41:52 -0600 (CST), Gadi Evron [EMAIL PROTECTED]
wrote:
It took Sendmail a mounth to fix this. A mounth.
A mounth!
With such Vendor Responsibility, perhaps it is indeed a Good Thing to go
Full Disclosure. It seems like history is repeating itself and Full
On March 23, 2006 06:08 pm, Steven M. Bellovin wrote:
On Thu, 23 Mar 2006 03:41:52 -0600 (CST), Gadi Evron [EMAIL PROTECTED]
wrote:
It took Sendmail a mounth to fix this. A mounth.
A mounth!
Given the scope of the changes you describe -- you wrote Sendmail.com's
patch is so big they
22 matches
Mail list logo
