Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 27 Aug 1999 16:18:14 +0200
From:      Eivind Eklund <eivind@FreeBSD.ORG>
To:        "Sean O'Connell" <sean@stat.Duke.EDU>
Cc:        FreeBSD security <freebsd-security@FreeBSD.ORG>
Subject:   Re: Chflags vulnerability in FreeBSD?
Message-ID:  <19990827161814.X79110@bitbox.follo.net>
In-Reply-To: <19990827100807.P28256@stat.Duke.EDU>; from Sean O'Connell on Fri, Aug 27, 1999 at 10:08:07AM -0400
References:  <19990827100807.P28256@stat.Duke.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Aug 27, 1999 at 10:08:07AM -0400, Sean O'Connell wrote:
> Hi All-
> 
> I received the following from SANS (www.sans.org) and it initimated
> that there is a vulnerability in FreeBSD that had previously been
> thought to only exist in BSDi:

> SANS Digest EXTRA -- Vol. 3 Num. 8a
> 
> 4) In item 10, BSDI A of the Augusts SANS Security Digest, we reported
>    the chflags problem as a BSDI-specific problem, when in fact other 
>    versions of BSD kernel are effected as well as some programs (e.g.,
>    ssh) based on the same routine. Vendor specific information can be
>    found at:
>         http://www.BSDI.COM/support/patches/patches-4.0.1/M401-014.info
>         http://www.BSDI.COM/support/patches/patches-3.1/M310-056.info
>         http://www.ssh.fi/sshprotocols2/
>         http://www.openbsd.org/errata.html#chflags
>    Also, according to a Bugtraq posting by Adam Morrison on 08/01/1999,  
>    NetBSD has corrected the problem and FreeBSD appears to be vulnerable.
>    The SANS Digest editors were unable to locate an FreeBSD specific
>    information regarding this problem.
> 
> Has this been addressed or fixed?  If it exists, it should probably
> be fixed before 3.3 gets out the door.

It has been fixed, and had been fixed the day the posting was approved
for bugtraq (of course, the bugtraq editors then spent 4-5 days before
approving the postings pointing this out).

SANS has not done any serious attempt to get information - there has,
for instance, not come any mail from them to
security-officer@FreeBSD.org.

Eivind.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990827161814.X79110>