I induced my syslog-ng 1.4.14 to crash repeatably. I remember seeing some time ago that the author was in the hospital, and I see from the web page that not much has changed in quite a while, leading to beleive that he might still be indisposed. Normally I would disclose the crash to the list, but if no fix will be forthcoming I am afraid too let other people know how to down a server. Does anyone know if the author is still available, or if I should dig into the code to generate a patch on my own before releasing this information? -- William Colburn, "Sysprog" <wcolburn@nmt.edu> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
William D. Colburn (aka Schlake) on Fri, Feb 01, 2002 at 12:58:57PM -0700: William,
Normally I would disclose the crash to the list, but if no fix will be forthcoming I am afraid too let other people know how to down a server.
Does anyone know if the author is still available, or if I should dig into the code to generate a patch on my own before releasing this information?
I strongly suggest you publish this problem to this list, or, if it is relevant enough, to the security-lists (vuln-dev, bugtraq, whatever you see fits). The security community agrees that security issues should be published within a certain amount of time, to allow people to think about counter- measures of any kind or at least *know* that they are vulnerable ... see http://www.securityfocus.com/ and look for the full disclosure policy. Chances are, if you could figure out the problem exists, somebody malicious could too ... besides that, I believe Balasz is back from the hospital anyway? Regards, -- ____ ____ / _/| - > Gregor Binder <gb@(rootnexus.net|sysfive.com)> | / || _\ \ \__ Id: 0xE2F31C4B Fp: 8B8A 5CE3 B79B FBF1 5518 8871 0EFB AFA3 E2F3 1C4B
On Fri, Feb 01, 2002 at 09:28:43PM +0100, Gregor Binder wrote:
William D. Colburn (aka Schlake) on Fri, Feb 01, 2002 at 12:58:57PM -0700:
Normally I would disclose the crash to the list, but if no fix will be forthcoming I am afraid too let other people know how to down a server.
I strongly suggest you publish this problem to this list, or, if it is relevant enough, to the security-lists (vuln-dev, bugtraq, whatever you see fits).
My turn to agree with Gregor. Also I should mention that this may not even be a vulnerability. Talk to us, discuss what you see happening. Denial of service problems usually exist with every service on every IP network - maybe it's something like that. Maybe the problem can be patched by a casual C hacker and can be fixed on this list immediately, even if Balazs isn't around. Share with us. -- Nate Campi "Usenet isn't a right. It's a right, a left, and a swift uppercut to the jaw." -Computer Museum (Boston)
Normally I would disclose the crash to the list, but if no fix will be forthcoming I am afraid too let other people know how to down a server.
I'm here and available, I was skiing for a week. ;) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
I've sent my disclosure to Balazs, and I'm posting here about my ethical viewpoint on bug disclosure. I feel that disclosure is a good thing, but I also think that good-neighbor ethics requires a private disclosure first. The vendor of the software needs a chance to address the issue and have a fix ready before the vulnerability makes the prime time. Full disclosure can sometimes be a tool to force a vendor to fix their product as well. On Mon, Feb 04, 2002 at 04:50:36PM +0100, Balazs Scheidler wrote:
Normally I would disclose the crash to the list, but if no fix will be forthcoming I am afraid too let other people know how to down a server.
I'm here and available, I was skiing for a week. ;)
-- William Colburn, "Sysprog" <wcolburn@nmt.edu> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
participants (4)
-
Balazs Scheidler
-
Gregor Binder
-
Nate Campi
-
William D. Colburn (aka Schlake)