[techtalk] security problem

Mary Gardiner linuxchix at puzzling.org
Sat May 12 09:24:25 EST 2001


On Fri, May 11, 2001 at 10:31:19PM +0000, Vincent Isaac West wrote:
> On Fri, 11 May 2001, Linda MacPhee-Cobb wrote:
> 
> > I sent mandrake a bug report, but who should I send this information to?  I 
> > found it posted on a linux users list for beginners, so it is online for 
> > crackers to find.  I found it while searching for something else entirely.
> 
> Do you know if anyone's already posted it to bugtraq or the appropriate
> mandrake lists?

Some loose notes from 'how to be a popular security flaw spotter,' a discussion
on bugtraq some time ago, for if you decide to post to bugtraq
(BUGTRAQ at SECURITYFOCUS.COM):

1) Contact the authors/those responsible first. You seem to have done this by
posting a Mandrake bug report, but dig a little for some information on who
is reponsible for that particuar piece of Mandrake first, and send them mail.
The Mandrake lists are also a good idea, make sure it's the developers list,
not a users list (users may well want to know about the bug, but developers are
the ones you want to fix it).

Is it a core Mandrake problem, or a package problem? If a package, see if you
can find the maintainer, who likely gets less email and possibly is, or more
likely, can contact, the author(s).

2) Give the developers some notice that you're about to post to bugtraq. If
they've had notice of the bug for a while, a few days might do. This is not a
threat, 'fix now or bugtraq hears,' but fair warning, since if crackers don't
know, they will after a bugtraq post.

3) No one will love you for a Friday post (because they will be working all
weekend fixing said security flaw). Seriously. This was a real warning.

4) Post a detailed exploit (not necessarily to bugtraq, but to the developers).
This is great advice for any bug report, since it is much easier to fix if they
can step through it, see what's happening. Tell them the code section if you
know it.

Incidently, if you are a programmer and the patch is trivial (unusual for
security holes) you might want to send it to them.

Mary.

-- 
Mary Gardiner
<mary at puzzling.org>
GPG Key ID: 77625870




More information about the Techtalk mailing list