From owner-freebsd-security Wed Jan 10 17:19:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 8C33537B401 for ; Wed, 10 Jan 2001 17:19:28 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.1/8.10.0) with ESMTP id f0B1JQI21197; Wed, 10 Jan 2001 20:19:26 -0500 (EST) Date: Wed, 10 Jan 2001 20:19:26 -0500 (EST) From: Trevor Johnson To: Jason DiCioccio Cc: , Berend de Boer Subject: RE: CERT advisory: "Interbase Server Contains Compiled-in Back D oor Account" In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA024385@goofy.epylon.lan> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Can any users of this package confirm if they actually knew about > this backdoor account? I don't see how a backdoor account accidently > makes its way into a database package like this. If this was > undocumented/unknown, I would have to assume it might have been > intentional from someone working on the project perhaps? I do not > use this database package, so I can't accuse anyone or any company of > this, but it's hard to imagine a 'backdoor account' making it's way > in the source otherwise. I guess we'll have to wait for a Borland > advisory. Hi, Jason. I'm not sure what you mean: that we should assume everything's fine and do nothing unless Borland also says there's a problem, or that you will just be curious about the origin of the problem until they explain it. FWIW the problem is also described at http://www.interbase2000.com/ (which apparently does not belong to Borland). The backdoor is not documented in the pkg-descr file for the port. If the port is not fixed or forbidden, and it has the backdoor, the fact should at least be documented there. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message