suspense ...

1 members found this post helpful.

Has this misplaced "vulneratbility" CLICKBAIT posting by OP crts finally been marked as SOLVED?

If it's a genuine vulnerabiity I assume the OP will mark it as solved when the vulnerability is fixed.

Yes. As I said above this is certainly *not* how found vulnerabilities should be handled. Only creates FUD and without any real value.

But at least we all learned you were on a blacklist!


Thanks for your dedication and have a nice weekend!

It will be interesting to me to see if OP ever posts here again given the (justified) negative responses. Not many people learn how to accept their own mistakes as important steps in a learning process, and admit to them. I'm not certain if that is more prevalent IRL where it's actually face-to-face with some you will see again or online where one can just fade away anonymously.

I hope if OP was actually serious and skilled enough to find even some minor vulnerability that he has the cajones and mental strength to just explain he was excited, overreacting, confused, or whatever led him to post in such a manner. Hopefully he learns that as Carl Sagan stated "Extraordinary claims require extraordinary evidence" so it should be a given that mere hints "the sky is falling" will be greeted by extreme skepticism.

1 members found this post helpful.

Setting aside whatever weird issues he apparently has with Eric, this thread should have been:
#1 "I think I've found a vulnerability... Who do I tell?"
#2 "Email Pat".
end-of-thread.

IMO the subsequent dog-piling was neither justified, nor helpful.

4 members found this post helpful.

True, but, the OP provoked the escalation by being critical of Eric in the first post. There was no need to do that. I'm glad that the team is in contact with the OP. I'm also grateful that the OP notified us about the potential vulnerability.

1 members found this post helpful.

That's bullshit. Instead of making big mysterious eyes OP should post what is about. Slackware by itself does not provide any advanced administration tools. The only place where vulnerability may appear are startup scripts, pkgtools, mkinitrd, slackpkg - probably I missed one or more. Besides that vulnerabilities come directly from application - so authors of application should be addressed - not Slackware. In other words these are only possible points where admin cannot address vulnerability by itself. I mean I can stop to slackpkg - but if it is deeper - how to stop to use pkgtools? Just build manually and
tools are made to help not to free from thinking (probably I should add here morons - but mod for sure will kick my ass- so I omit this one).

Edit: OP should state explicitly so people can do something by themselves instead of now sitting and trying to guess what is about - and wait for fix(?) If there is really vulnerability in Slackware - as well OP installation can be broken.

2 members found this post helpful.

This way of thinking makes a product vulnerable. The attacker thinks differently.

If vulnerability concerns only Slackware - then it must be only at points where Slackware differs from other Linuxes. And the first thing what OP does not understand is that telling that some accidental person found vulnerability is completely enough for most real hackers. It is as valuable as just straightforward describe what is it. Even worse - cause real hackers would have now great advantage - they would quickly find what is it about. But we are here sitting and trying to guess what is it. While hackers are working now. So this why all this is bullshit. From OP post it sounds like it was mistake - error - made by OP - but not being trapped by script - and causing some strange behavior. Bash functionality may cause troubles - bash has too many capabilities to be secure. File names may cause serious troubles. It sound like OP never really cared about to secure its installation. Now something broke down and Slackware is guilty. I really would be glad to hear from OP what she/he thinks is secure system.

1 members found this post helpful.

The problem with "Full disclosure" is that not everyone has the skills to mitigate the problem until the fix arrives. Also, those that do have the skill might not become aware of the disclosure announcement.

The problem with 'responsible disclosure' is that those whom do have the skills to mitigate are left vulnerable for longer.

"Full" vs "Responsible" is an argument almost as old as folks have been talking about vulnerability announcements, and neither option is ideal.


BTW, I wouldn't worry about pkgtools: they're inherently insecure by design (doinst.sh run as root), so there's really no need for anyone to figure out sneaky ways to compromise them.¹

----
¹ This is why one should always gpg verify your package signatures before use.

3 members found this post helpful.

Yes, that was unfortunate.

1 members found this post helpful.

What is unfortunate is the post itself
- no one reports a vulnerability in this way
- no one chooses who should answer or not
- no one leaves a vulnerability report, however critical it is, without any update for 8 days

1 members found this post helpful.

A properly configured firewall will mitigate the issue. Do not leave any unnecessary ports open.

2 members found this post helpful.

My bet here is inetd.conf configuration problems.

Edit:
just a common desktop (actually it is AlienBob Live Edition). Am I dead now?