Date: Fri, 27 Aug 1999 16:18:14 +0200 From: Eivind Eklund <eivind@FreeBSD.ORG> To: "Sean O'Connell" <sean@stat.Duke.EDU> Cc: FreeBSD security <freebsd-security@FreeBSD.ORG> Subject: Re: Chflags vulnerability in FreeBSD? Message-ID: <19990827161814.X79110@bitbox.follo.net> In-Reply-To: <19990827100807.P28256@stat.Duke.EDU>; from Sean O'Connell on Fri, Aug 27, 1999 at 10:08:07AM -0400 References: <19990827100807.P28256@stat.Duke.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 27, 1999 at 10:08:07AM -0400, Sean O'Connell wrote: > Hi All- > > I received the following from SANS (www.sans.org) and it initimated > that there is a vulnerability in FreeBSD that had previously been > thought to only exist in BSDi: > SANS Digest EXTRA -- Vol. 3 Num. 8a > > 4) In item 10, BSDI A of the Augusts SANS Security Digest, we reported > the chflags problem as a BSDI-specific problem, when in fact other > versions of BSD kernel are effected as well as some programs (e.g., > ssh) based on the same routine. Vendor specific information can be > found at: > http://www.BSDI.COM/support/patches/patches-4.0.1/M401-014.info > http://www.BSDI.COM/support/patches/patches-3.1/M310-056.info > http://www.ssh.fi/sshprotocols2/ > http://www.openbsd.org/errata.html#chflags > Also, according to a Bugtraq posting by Adam Morrison on 08/01/1999, > NetBSD has corrected the problem and FreeBSD appears to be vulnerable. > The SANS Digest editors were unable to locate an FreeBSD specific > information regarding this problem. > > Has this been addressed or fixed? If it exists, it should probably > be fixed before 3.3 gets out the door. It has been fixed, and had been fixed the day the posting was approved for bugtraq (of course, the bugtraq editors then spent 4-5 days before approving the postings pointing this out). SANS has not done any serious attempt to get information - there has, for instance, not come any mail from them to security-officer@FreeBSD.org. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990827161814.X79110>