Josh Carroll <[EMAIL PROTECTED]> writes: > Actually, people have reported that there is an exploit, and in fact > even OpenBSD is vulnerable.
Yes, I've seen these claims, but you have to keep in mind that not everyone who posts to mailing lists is entirely honest. 8-) Early claims such as "*BDDs, GNU/Linux and Solaris are all affected" should be taken with a grain of salt, especially if a heap-based overflow is involved. The malloc() implementations are quite different, and the *BSDs are less vulnerable to heap corruption than other systems. > I would still patch ASAP. Best not to risk it. If I was still busy recovering from MS03-039, I wouldn't stop this work in favor of this. My gut feeling is that it's okay to wait for vendor patches. > It's probably a matter of time before a widely available exploit is > released. First of all, the bug has to be actually exploitable. Please keep in mind that so far, *zero* evidence has been published that this is actually possible. If it is exploitable, it has to be an anonymous exploit (without proper login), unless it won't have a wide-spread impact. > I personally would like to see said exploit so I can test my systems > post-patch. At least you can use the package version indicator in the reply string to see which version of the binary is running.
