On Mon, Dec 17, 2001 at 07:06:30PM -0800, Tom Parker wrote: > Vendor Solutions: > > Red Hat have released the following series of packages which > fix the glibc issues. Other vendors are yet to release official > packages due to a lack of preparation time. This isn't exactly the case. The only lack of time was to make sure "your" vulnerability is the same as the one vendors were already working on fixing. Yes, this could have been avoided if one vendor (and it's not Red Hat) propagated your report to others. This also explains why update announcements started falling in here almost immediately after Red Hat's. We (Openwall GNU/*/Linux) had this fixed for both Owl-current and Owl 0.1-stable on 2001/12/14. I'd like to use this opportunity to remind Bugtraq readers that currently we don't "spam" the list with security update announcements. Instead, there're the system-wide change logs where any security fixes are marked specially, -- http://www.openwall.com/Owl/CHANGES.shtml http://www.openwall.com/Owl/CHANGES-stable.shtml Only really critical security fixes will also be announced to Bugtraq. So far, during the 7 months since Owl went public, there have been no privilege escalation holes (both remote and local) which could be exploited in an active attack(*) and affected the default install(**). (*) Of course, root may run gnupg with the format string vulnerability on untrusted input and there's the problem. Yes, there were "passive" vulnerabilities like that fixed during this time, -- all documented as such in the change logs above. (**) There were a few affecting non-default but supported installs of Owl, with no third-party software installed. The exhaustive list is: Linux 2.2.19 kernel bugs (if newgrp(1) is enabled), xinetd (if ident lookups are enabled), OpenSSH (authorized_keys2 "from=", UseLogin). All of these have been on Bugtraq. -- /sd