From owner-freebsd-isp  Fri Apr  4 21:35:07 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id VAA22142
          for isp-outgoing; Fri, 4 Apr 1997 21:35:07 -0800 (PST)
Received: from mail.webspan.net (mail.webspan.net [206.154.70.7])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA22133;
          Fri, 4 Apr 1997 21:35:02 -0800 (PST)
Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) 
          by mail.webspan.net (WEBSPAN/970116) with ESMTP id AAA28239;
          Sat, 5 Apr 1997 00:34:17 -0500 (EST)
Received: from orion.webspan.net (localhost [127.0.0.1]) 
          by orion.webspan.net (WEBSPN/970116) with ESMTP id AAA10332;
          Sat, 5 Apr 1997 00:34:16 -0500 (EST)
To: James FitzGibbon <james@nexis.net>
cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org
From: "Gary Palmer" <gpalmer@freebsd.org>
Subject: Re: Another INND security hole. 
In-reply-to: Your message of "Fri, 04 Apr 1997 07:08:56 EST."
             <Pine.BSF.3.95q.970404070554.7035E-100000@nexis.net> 
Date: Sat, 05 Apr 1997 00:34:16 -0500
Message-ID: <10330.860218456@orion.webspan.net>
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

James FitzGibbon wrote in message ID
<Pine.BSF.3.95q.970404070554.7035E-100000@nexis.net>:
> On Thu, 3 Apr 1997, Gary Palmer wrote:

> > Hope I'm not out of line forwarding this before the CERT
> > advisory... It's probably all over bugtraq already tho.

> Two issues about this patch and it necessity on FreeBSD.  Not
> understanding INN myself, I noted that the you're not exposed unless you
> run 'ucbmail'.  Does that include FreeBSD ?  There's no such binary on the
> system.  Is ucbmail the SVR4 version of our /usr/bin/mail, and if so, is
> our one prone to the same faults ?

No idea to be honest. However, the patch is recommended for all
installations. The other thing is that it does NOT say `ucbmail',
rather UCB mail, i.e. the UCB mailer distributed by UCB. (At least the
WWW page says that. I don't have the advisory infront of me right now)

> The other issue is that when you visit www.isc.org and try to get the
> patch, it doesn't exist.

Try again. It seems to have been regenrated. From the WWW page:

   A new security issue has come up that affects anyone using UCB Mail as
   the mailer defined in the config.data variable _PATH_MAILCMD. A patch
   has been created that is for all versions of INN and is available
   here. Note: The patch was originally released as security-patch.04,
   but has been regenerated as security-patch.05.

   You should apply this even if you don't use UCB mail. It is a patch to
   the same file (samples/parsecontrol) as the patches discussed below.
   If you are running a version of INN older than 1.5.1, then you must
   apply one of the patches discussed in Security Notice 1 before you can
   apply this patch..

Gary
--
Gary Palmer                                          FreeBSD Core Team Member
FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info