Date: Thu, 06 Feb 1997 16:27:15 +0100 From: Eivind Eklund <eivind@dimaga.com> To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) Cc: freebsd-chat@freebsd.org Subject: Re: Blacklisting and being "asked" to deinstall FreeBSD - you heard that right! Message-ID: <3.0.32.19970206162713.00a77680@dimaga.com>
next in thread | raw e-mail | index | archive | help
At 09:19 AM 2/6/97 +0100, J Wunsch wrote: >As Jamie Bowden wrote: > >> So what is this 'threat'? And how severe is it? I mean, sendmail has >> delivered remote root on demand in the last three releases, so how bad >> can this really be? > >Less, since it required at least a valid local user first. In reality, this bug is less severe than the bugs in sendmail, telnet, talkd, wuftpd, finger, etc that has been discovered before - any remote hole is worse. It is little worse than the bugs in lpr or the second-to-last bug in sendmail (kill -HUP bug), due to it being more than a single binary to fix. However, the emotional shock of hearing that _every_ suid binary on your system is vulnerable should not be underestimated. I believe an announcement at once would have been a good move, even one only containing soothing mumbo-jumbo, summarised as "There is a problem; we know what it is, and we'll be back as soon as possible with a proper fix. This will take a little time, as we need to do it properly." Well, it is easy to be wise in hindsight. :) Eivind Eklund perhaps@yes.no http://maybe.yes.no/perhaps/ <eivind@freebsd.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19970206162713.00a77680>