The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security problem in old nfs-server versions (DFN-CERT#41511).



I just got word from DFN-CERT that there is a bug in pre-2.2beta6
versions of nfsd that can have serious security consequences. These
old versions did not treat lines containing only white space properly.
These lines would magially turn into a world-wide export of the current
working directory, with default permissions (read-only at least).
The report quoted to me by dfn-cert claims that at least DLD is concerned.
I would ask other vendors to make sure they use a more recent version
of unfsd.  (Note that this release dates back to December 1995).

Unfortunately, I don't have the email address of anyone representing DLD.
If anyone who has an address could please forward the message and send
me back the address so I can add it to my list? However, please don't
post this information to linux-security or usenet yet since I'm not
sure what DFN-CERT is up to with regard to this.

Finally, is there any interest in a linux vendor security list where we
can share security information without releasing it to the masses and
create joint announcements (the way the Linux Security FAQ updates used
to work?). Of course, I'd also want to include prominent security guys
from the Linux community.  I'd volunteer to set up this list and handle
subscriptions.

Just to guard myself against any reproaches of hiding something from
you; I'm employed by Germany-based LST which maintains the OpenLinux
base distribution for Caldera. I hope no-one has a problem with this.
People I've been working with during and after my moderatorship of
linux-security know that I've always been sharing information about
security holes freely.

Olaf
-- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@lst.de        +-------------------- Why Not?! -----------------------


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .