From owner-freebsd-audit@FreeBSD.ORG Mon Sep 6 19:37:16 2004 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7671F16A4CE for ; Mon, 6 Sep 2004 19:37:16 +0000 (GMT) Received: from rosebud.otenet.gr (rosebud.otenet.gr [195.170.0.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE1BB43D31 for ; Mon, 6 Sep 2004 19:37:15 +0000 (GMT) (envelope-from keramida@freebsd.org) Received: from gothmog.gr (patr530-b187.otenet.gr [212.205.244.195]) i86JbCPJ005242 for ; Mon, 6 Sep 2004 22:37:13 +0300 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.13.1/8.13.1) with ESMTP id i86JZFet001654 for ; Mon, 6 Sep 2004 22:35:15 +0300 (EEST) (envelope-from keramida@freebsd.org) Received: (from giorgos@localhost) by gothmog.gr (8.13.1/8.13.1/Submit) id i86JZFZR001653 for freebsd-audit@freebsd.org; Mon, 6 Sep 2004 22:35:15 +0300 (EEST) (envelope-from keramida@freebsd.org) Date: Mon, 6 Sep 2004 22:35:14 +0300 From: Giorgos Keramidas To: freebsd-audit@freebsd.org Message-ID: <20040906193514.GA1373@gothmog.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Phone: +30-2610-312145 Mobile: +30-6944-116520 Subject: Keeping compress(1) WARNS?=6 clean X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Sep 2004 19:37:16 -0000 I've been locally using compress(1) with the following patch for a long while now (at least 1 year, since a bug in compress was found in Jan 2003 by me and committed a few months later by Tom Rhodes): %%% Index: Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/compress/Makefile,v retrieving revision 1.7 diff -u -r1.7 Makefile --- Makefile 8 Feb 2002 22:31:37 -0000 1.7 +++ Makefile 22 Aug 2004 02:14:18 -0000 @@ -6,6 +6,8 @@ LINKS= ${BINDIR}/compress ${BINDIR}/uncompress MLINKS= compress.1 uncompress.1 +WARNS?= 6 + # XXX zopen is not part of libc # MAN=zopen.3 %%% Is it ok if I ask RE's approval to commit this change in HEAD to keep the source clean from changes that might seem like a regression from its current state? - Giorgos From owner-freebsd-audit@FreeBSD.ORG Wed Sep 8 00:40:45 2004 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FCD516A4CE for ; Wed, 8 Sep 2004 00:40:45 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43CA043D45 for ; Wed, 8 Sep 2004 00:40:45 +0000 (GMT) (envelope-from kerochan2@gmail.com) Received: by mproxy.gmail.com with SMTP id 77so228408rnl for ; Tue, 07 Sep 2004 17:40:44 -0700 (PDT) Received: by 10.38.82.8 with SMTP id f8mr2378612rnb; Tue, 07 Sep 2004 17:40:44 -0700 (PDT) Received: by 10.38.75.25 with HTTP; Tue, 7 Sep 2004 17:40:44 -0700 (PDT) Message-ID: <3b793f1a040907174043f4cad4@mail.gmail.com> Date: Tue, 7 Sep 2004 20:40:44 -0400 From: kerochan ii To: freebsd-audit@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: portaudit false positive X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: kerochan ii List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 00:40:45 -0000 portaudit started warning me about a vulnerability in the cvs server in the base system. It reports that the affected package is FreeBSD-502010. I realised that this is actually a vulnerability fixed months ago, and because i'm tracking RELENG_5_2 and thus running 5.2.1-p9, it was fixed on my system before portaudit even reported vulnerabilities in base. So please make it check if the base system is patched (uname -m) and only let it report problems if they really exist. Thank you in advance... From owner-freebsd-audit@FreeBSD.ORG Wed Sep 8 06:36:43 2004 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1817716A4CE for ; Wed, 8 Sep 2004 06:36:43 +0000 (GMT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF0BA43D53 for ; Wed, 8 Sep 2004 06:36:42 +0000 (GMT) (envelope-from des@des.no) Received: from dwp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mail.broadpark.no (Postfix) with ESMTP id 4AC412AD1; Wed, 8 Sep 2004 08:37:18 +0200 (MEST) Received: by dwp.des.no (Postfix, from userid 2602) id 55009B85E; Wed, 8 Sep 2004 08:36:40 +0200 (CEST) To: kerochan ii References: <3b793f1a040907174043f4cad4@mail.gmail.com> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Wed, 08 Sep 2004 08:36:40 +0200 In-Reply-To: <3b793f1a040907174043f4cad4@mail.gmail.com> (kerochan ii's message of "Tue, 7 Sep 2004 20:40:44 -0400") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable cc: freebsd-audit@freebsd.org Subject: Re: portaudit false positive X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 06:36:43 -0000 kerochan ii writes: > portaudit started warning me about a vulnerability in the cvs server > in the base system. > It reports that the affected package is FreeBSD-502010. > I realised that this is actually a vulnerability fixed months ago, and > because i'm tracking RELENG_5_2 and thus running 5.2.1-p9, it was > fixed on my system before portaudit even reported vulnerabilities in > base. No. For various reasons, this vulnerability still hasn't been fixed in RELENG_5_2 or RELENG_4_10. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no