On Tue, Dec 02, 2003, at 15:01 -0600, Preston Boyington wrote: > >Though I am somewhat concerned about the following bit from the > >message: > > > > "Please understand that we cannot give away the used exploit to > > random people who we don't know. So please don't ask us about it." > > > > I'm afraid I'm part of the group that just doesn't understand. This > > snippet reeks of security through obscurity for me. If the > > hole has been > > identified and, presumably, fixed, why not tell people about it? > > > > I agree. I support and recommend Debian to my peers and clients on > the basis that Debian is a stable and secure distribution. Therefore > when something (such as this) happens I want to have full disclosure > so I can confidently deploy Debian on our network.
Why would your clients be interested in step-by-step details on how to accomplish this? You know it was done by a C integer overflow in the brk() call. And you now know that it was fixed, what Debian has done, a timeline of events and details on the forensics analysis. What else do you want? And why? It's not in anyone's interest, for the sake of security and time, to document a step-by-step set of instructions. If you *really* wanted to know, read the kernel-hackers mailing list. -- scott c. linnenbringer | [EMAIL PROTECTED] http://www.panix.com/~sl | [EMAIL PROTECTED]
pgp00000.pgp
Description: PGP signature
