From owner-cvs-all Sat Sep 23 6:14:16 2000 Delivered-To: cvs-all@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id CB50137B422; Sat, 23 Sep 2000 06:14:10 -0700 (PDT) Received: from localhost (1ttbrx@localhost [127.0.0.1] (may be forged)) by green.dyndns.org (8.11.0/8.11.0) with ESMTP id e8NDE8537221; Sat, 23 Sep 2000 09:14:09 -0400 (EDT) (envelope-from green@FreeBSD.org) Message-Id: <200009231314.e8NDE8537221@green.dyndns.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Kris Kennaway Cc: "Vanilla I. Shu" , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/audio/esound/patches patch-ac In-Reply-To: Message from Kris Kennaway of "Sat, 23 Sep 2000 02:11:46 PDT." From: "Brian F. Feldman" Date: Sat, 23 Sep 2000 09:14:08 -0400 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > On Sat, 23 Sep 2000, Vanilla I. Shu wrote: > > > vanilla 2000/09/23 01:21:23 PDT > > > > Modified files: > > audio/esound/patches patch-ac > > Log: > > Add a patch that fixes the vulnerability. > > > > Submitted by: ade > > What vulnerability? The one I fixed already, of course. More importantly, this change is a reversion to more insecure behavior (new hole: mode 777 directory in a user's home directory) and should be backed out immediately. Needless to say, the BugTraq poster was a complete idiot and did not actually fix things with the posted "patch". I've been tempted to say so; misinformation is just about as bad as not knowing about a vulnerability since you can be fooled into THINKING you've fixed the issues. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message