From owner-freebsd-isp  Fri Apr  4 04:09:40 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id EAA03909
          for isp-outgoing; Fri, 4 Apr 1997 04:09:40 -0800 (PST)
Received: from nexis.net (customer-1.ican.net [198.133.36.101])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA03881;
          Fri, 4 Apr 1997 04:09:28 -0800 (PST)
Received: from localhost (james@localhost)
	by nexis.net (8.8.5/8.8.5) with SMTP id HAA07192;
	Fri, 4 Apr 1997 07:08:57 -0500 (EST)
Date: Fri, 4 Apr 1997 07:08:56 -0500 (EST)
From: James FitzGibbon <james@nexis.net>
To: Gary Palmer <gpalmer@freebsd.org>
cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org
Subject: Re: Another INND security hole.
In-Reply-To: <13819.860105449@orion.webspan.net>
Message-ID: <Pine.BSF.3.95q.970404070554.7035E-100000@nexis.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Thu, 3 Apr 1997, Gary Palmer wrote:

> Hope I'm not out of line forwarding this before the CERT
> advisory... It's probably all over bugtraq already tho.

Two issues about this patch and it necessity on FreeBSD.  Not
understanding INN myself, I noted that the you're not exposed unless you
run 'ucbmail'.  Does that include FreeBSD ?  There's no such binary on the
system.  Is ucbmail the SVR4 version of our /usr/bin/mail, and if so, is
our one prone to the same faults ?

The other issue is that when you visit www.isc.org and try to get the
patch, it doesn't exist.

--
j.