Date: Wed, 19 Mar 2003 18:00:11 -0800 From: Michael Bryan <fbsd-secure@ursine.com> To: security@FreeBSD.ORG Subject: FreeBSD and CERT announcements (Was: EEYE: XDR Integer Overflow) Message-ID: <3E7920AB.FAC7B5C1@ursine.com> References: <5.2.0.9.0.20030319155420.080cbab8@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote: > > Anyone know if this effects FreeBSD ? There is no mention in the CERT advisory. Yeah, I also noticed that the Sendmail advisory from CERT had no info about FreeBSD. Has there been a breakdown in communication between FreeBSD and CERT? I just did a little digging through the CERT Advisories, as well as their vulnerabilities database, looking for items that could at least potentially affect FreeBSD. I've also looked for corresponding FreeBSD advisories. My results are all detailed below, but there does seem to be a disturbing lack of FreeBSD info/response in most recent CERT documents. The kadmind and BIND Advisories in Oct/Nov of 2002 mentioned FreeBSD in the Advisories and the Vulnerability Notes. Subsequent CERT advisories don't mention FreeBSD, though in some cases the associated vulnerabilities do have a brief status on FreeBSD. (There have been at least six potentially relevant CERT advisories since December 1, 2002.) Can anyone on the FreeBSD Security Team or from CERT shed a little light on this subject? Summary of FreeBSD references in CERT Advisories and Vulnerability Notes for last five months: CA-2003-10, 19-Mar-2003, XDR: CERT Advisory: Nothing for FreeBSD CERT Vulnerability Note: FreeBSD status = unknown, 18-Feb-2003 FreeBSD Advisory: None Links: http://www.cert.org/advisories/CA-2003-10.html http://www.kb.cert.org/vuls/id/516825 CA-2003-07, 03-Mar-2003, Sendmail: CERT Advisory: Nothing for FreeBSD CERT Vulnerability Note: FreeBSD status = vulnerable, 03-Mar-2003 FreeBSD Advisory: Yes Links: http://www.cert.org/advisories/CA-2003-07.html http://www.kb.cert.org/vuls/id/398025 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:04.sendmail.asc CA-2003-06, 21-Feb-2003, SIP: CERT Advisory: Nothing for FreeBSD CERT Vulnerability Note: FreeBSD status = unknown, 17-Feb-2003 FreeBSD Advisory: None Links: http://www.cert.org/advisories/CA-2003-06.html http://www.kb.cert.org/vuls/id/528719 CA-2003-02, 22-Jan-2003, CVS: CERT Advisory: Nothing for FreeBSD CERT Vulnerability Note: FreeBSD status = Vulnerable, 04-Feb-2003 FreeBSD Advisory: Yes Links: http://www.cert.org/advisories/CA-2003-02.html http://www.kb.cert.org/vuls/id/650937 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:01.cvs.asc CA-2003-01, 15-Jan-2003, ISC DHCPD CERT Advisory: Nothing for FreeBSD CERT Vulnerability Note: FreeBSD status = Unknown, 15-Jan-2003 FreeBSD Advisory: None Links: http://www.cert.org/advisories/CA-2003-01.html http://www.kb.cert.org/vuls/id/284857 CA-2002-36, 16-Dec-2002, SSH CERT Advisory: Nothing for FreeBSD CERT Vulnerability Note: FreeBSD not contacted??? FreeBSD Advisory: None Links: http://www.cert.org/advisories/CA-2002-36.html http://www.kb.cert.org/vuls/id/389665#systems CA-2002-31, 14-Nov-2002, BIND CERT Advisory: References FreeBSD-SA-02:43.bind CERT Vulnerability Note: Four separate notes, each with different FreeBSD status: VU#852283: Vulnerable, 14-Nov-2002 VU#229595: Unknown, 12-Nov-2002 VU#581682: FreeBSD not listed as a contacted vendor??? VU#844360: Not Vulnerable, 14-Nov-2002 FreeBSD Advisory: Yes Links: http://www.cert.org/advisories/CA-2002-31.html http://www.kb.cert.org/vuls/id/852283 http://www.kb.cert.org/vuls/id/229595 http://www.kb.cert.org/vuls/id/581682 http://www.kb.cert.org/vuls/id/844360 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:43.bind.asc CA-2002-29, 25-Oct-2002 CERT Advisory: References FreeBSD-SA-02:40.kadmind.asc CERT Vulnerability Note: FreeBSD status = Vulnerable, 13-Nov-2002 FreeBSD Advisory: Yes Links: http://www.cert.org/advisories/CA-2002-29.html http://www.kb.cert.org/vuls/id/875073 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:40.kadmind.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E7920AB.FAC7B5C1>