Re: Bug#130876: Very definitely a bug, security

To: Lazarus Long <lazarus@overdue.ddts.net>
Cc: "Jonathan D. Amery" <jdamery@chiark.greenend.org.uk>, 130876@bugs.debian.org, debian-security@lists.debian.org
Subject: Re: Bug#130876: Very definitely a bug, security
From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Date: Sat, 26 Jan 2002 19:14:15 +0100
Message-id: <[🔎] 87u1t9nfns.fsf@CERT.Uni-Stuttgart.DE>
In-reply-to: <[🔎] 20020126050114.GA21951@overdue.ddts.net> (Lazarus Long's message of "Sat, 26 Jan 2002 05:01:14 +0000")
References: <Pine.LNX.4.21.0201260238080.14930-100000@chiark.greenend.org.uk> <[🔎] 20020126050114.GA21951@overdue.ddts.net>

Lazarus Long <lazarus@overdue.ddts.net> writes:

>  > severity 130876 wishlist
>  > thanks
>  > 
>  >  This is not a bug.  
>
> This is definitely a security risk.

It helps auditing a large farm of Debian machines.

For example, there is currently no reliable way to remotely tell if a
box running OpenSSH 1.2.3 is using an up-to-date Debian version with
the security fix.  An attacker will simply try all his exploits and
move to the next machine if they are unsuccesful.  The good guys can
do that, too, but they cannot be sure if they just got the offsets
wrong or something like that, so that the machine is vulnerable
despite the attack was not successful.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Reply to:

References:
- Re: Bug#130876: Very definitely a bug, security
  - From: Lazarus Long <lazarus@overdue.ddts.net>

Prev by Date: Re: Bug#130876: Very definitely a bug, security
Next by Date: Re: Securing bind..
Previous by thread: Re: Bug#130876: Very definitely a bug, security
Next by thread: Re: Problem with IPTables
Index(es):
- Date
- Thread