From owner-freebsd-security  Wed Mar 19 18: 0:16 2003
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4F76637B404
	for <security@FreeBSD.ORG>; Wed, 19 Mar 2003 18:00:13 -0800 (PST)
Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5912343FBD
	for <security@FreeBSD.ORG>; Wed, 19 Mar 2003 18:00:12 -0800 (PST)
	(envelope-from fbsd-secure@ursine.com)
Received: from ursine.com ([10.4.100.63])
	by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id h2K20B011949;
	Wed, 19 Mar 2003 18:00:11 -0800 (PST)
	(envelope-from fbsd-secure@ursine.com)
Message-ID: <3E7920AB.FAC7B5C1@ursine.com>
Date: Wed, 19 Mar 2003 18:00:11 -0800
From: Michael Bryan <fbsd-secure@ursine.com>
X-Mailer: Mozilla 4.78 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: security@FreeBSD.ORG
Subject: FreeBSD and CERT announcements (Was: EEYE: XDR Integer Overflow)
References: <5.2.0.9.0.20030319155420.080cbab8@marble.sentex.ca>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



Mike Tancsa wrote:
> 
> Anyone know if this effects FreeBSD ? There is no mention in the CERT advisory.

Yeah, I also noticed that the Sendmail advisory from CERT had no
info about FreeBSD.  Has there been a breakdown in communication
between FreeBSD and CERT?

I just did a little digging through the CERT Advisories, as well as
their vulnerabilities database, looking for items that could at least
potentially affect FreeBSD.  I've also looked for corresponding FreeBSD
advisories.  My results are all detailed below, but there does seem to
be a disturbing lack of FreeBSD info/response in most recent CERT documents.
The kadmind and BIND Advisories in Oct/Nov of 2002 mentioned FreeBSD in
the Advisories and the Vulnerability Notes.  Subsequent CERT advisories
don't mention FreeBSD, though in some cases the associated vulnerabilities
do have a brief status on FreeBSD.  (There have been at least six potentially
relevant CERT advisories since December 1, 2002.)

Can anyone on the FreeBSD Security Team or from CERT shed a little light
on this subject?

Summary of FreeBSD references in CERT Advisories and Vulnerability Notes
for last five months:

CA-2003-10, 19-Mar-2003, XDR:
	CERT Advisory:  Nothing for FreeBSD
	CERT Vulnerability Note:  FreeBSD status = unknown, 18-Feb-2003
	FreeBSD Advisory:  None
	Links:	http://www.cert.org/advisories/CA-2003-10.html
		http://www.kb.cert.org/vuls/id/516825


CA-2003-07, 03-Mar-2003, Sendmail:
	CERT Advisory:  Nothing for FreeBSD
	CERT Vulnerability Note:  FreeBSD status = vulnerable, 03-Mar-2003
	FreeBSD Advisory:  Yes
	Links:	http://www.cert.org/advisories/CA-2003-07.html
		http://www.kb.cert.org/vuls/id/398025
		ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:04.sendmail.asc
  

CA-2003-06, 21-Feb-2003, SIP:
	CERT Advisory:  Nothing for FreeBSD
	CERT Vulnerability Note:  FreeBSD status = unknown, 17-Feb-2003
	FreeBSD Advisory:  None
	Links:	http://www.cert.org/advisories/CA-2003-06.html
		http://www.kb.cert.org/vuls/id/528719


CA-2003-02, 22-Jan-2003, CVS:
	CERT Advisory:  Nothing for FreeBSD
	CERT Vulnerability Note:  FreeBSD status = Vulnerable, 04-Feb-2003
	FreeBSD Advisory:  Yes
	Links:	http://www.cert.org/advisories/CA-2003-02.html
		http://www.kb.cert.org/vuls/id/650937
		ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:01.cvs.asc

CA-2003-01, 15-Jan-2003, ISC DHCPD
	CERT Advisory:  Nothing for FreeBSD
	CERT Vulnerability Note:  FreeBSD status =  Unknown, 15-Jan-2003
	FreeBSD Advisory:  None
	Links:	http://www.cert.org/advisories/CA-2003-01.html
		http://www.kb.cert.org/vuls/id/284857

CA-2002-36, 16-Dec-2002, SSH
	CERT Advisory:  Nothing for FreeBSD
	CERT Vulnerability Note:  FreeBSD not contacted???
	FreeBSD Advisory:  None
	Links:	http://www.cert.org/advisories/CA-2002-36.html
		http://www.kb.cert.org/vuls/id/389665#systems

CA-2002-31, 14-Nov-2002, BIND
	CERT Advisory:  References FreeBSD-SA-02:43.bind
	CERT Vulnerability Note:  Four separate notes, each with different FreeBSD status:
		VU#852283:  Vulnerable, 14-Nov-2002
		VU#229595:  Unknown, 12-Nov-2002
		VU#581682:  FreeBSD not listed as a contacted vendor???
		VU#844360:  Not Vulnerable, 14-Nov-2002
	FreeBSD Advisory:  Yes
	Links:	http://www.cert.org/advisories/CA-2002-31.html
		http://www.kb.cert.org/vuls/id/852283
		http://www.kb.cert.org/vuls/id/229595
		http://www.kb.cert.org/vuls/id/581682
		http://www.kb.cert.org/vuls/id/844360
		ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:43.bind.asc

CA-2002-29, 25-Oct-2002
	CERT Advisory:  References FreeBSD-SA-02:40.kadmind.asc
	CERT Vulnerability Note:  FreeBSD status = Vulnerable, 13-Nov-2002
	FreeBSD Advisory:  Yes
	Links:	http://www.cert.org/advisories/CA-2002-29.html
		http://www.kb.cert.org/vuls/id/875073
		ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:40.kadmind.asc

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message