From owner-freebsd-security@FreeBSD.ORG Tue Jan 14 23:53:11 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D504FCDA for ; Tue, 14 Jan 2014 23:53:11 +0000 (UTC) Received: from zim.gshapiro.net (zim.gshapiro.net [IPv6:2001:4f8:3:36::224]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B811F175C for ; Tue, 14 Jan 2014 23:53:11 +0000 (UTC) Received: from minime.us.proofpoint.com (mx2.proofpoint.com [208.86.202.10]) (authenticated bits=0) by zim.gshapiro.net (8.14.8.Beta0/8.14.7) with ESMTP id s0ENr8D5007124 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 14 Jan 2014 15:53:10 -0800 (PST) (envelope-from gshapiro@gshapiro.net) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gshapiro.net; s=gatsby.dkim; t=1389743591; bh=di/F96Cn2r5nzvVPR/r2oGpM/ZNqIjP9go6sMO6mkbY=; h=Date:From:To:Subject:References:In-Reply-To; b=h0mi4qu0sMoz1TXOTBSBpMRWNuHeLuoAYN1cEMz/gJwJ555c7s98msT6EI3lAL3Wj 2MMqREqadyLCXlw7UaO6r8JQZz1m9VNesqsxnuYjIovJiSvxDmcolTPkXSc65KV7A3 QxrPnF5jpKjHVSH1vbNBub4cV86X7Y4DRtTLEnqQ= Date: Tue, 14 Jan 2014 15:53:08 -0800 From: Gregory Shapiro To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:01.bsnmpd Message-ID: <20140114235308.GB13117@minime.us.proofpoint.com> References: <201401142011.s0EKB8Zw082592@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201401142011.s0EKB8Zw082592@freefall.freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Wed, 15 Jan 2014 02:07:15 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 23:53:11 -0000 > Topic: bsnmpd remote denial of service vulnerability ... > III. Impact > > This issue could be exploited to execute arbitrary code in the context of > the service daemon, or crash the service daemon, causing a denial-of-service. The title/topic of this advisory should be changed reflect the more serious of these impacts, "execute arbitrary code". IMHO, this is a much larger impact than bsnmpd crashing.