From owner-freebsd-chat Thu Feb 6 07:54:44 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA01598 for chat-outgoing; Thu, 6 Feb 1997 07:54:44 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA01533 for ; Thu, 6 Feb 1997 07:54:40 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.5/8.8.3) with UUCP id QAA15434; Thu, 6 Feb 1997 16:51:44 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id QAA29158; Thu, 6 Feb 1997 16:27:13 +0100 (MET) Message-Id: <3.0.32.19970206162713.00a77680@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 06 Feb 1997 16:27:15 +0100 To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) From: Eivind Eklund Subject: Re: Blacklisting and being "asked" to deinstall FreeBSD - you heard that right! Cc: freebsd-chat@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-chat@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 09:19 AM 2/6/97 +0100, J Wunsch wrote: >As Jamie Bowden wrote: > >> So what is this 'threat'? And how severe is it? I mean, sendmail has >> delivered remote root on demand in the last three releases, so how bad >> can this really be? > >Less, since it required at least a valid local user first. In reality, this bug is less severe than the bugs in sendmail, telnet, talkd, wuftpd, finger, etc that has been discovered before - any remote hole is worse. It is little worse than the bugs in lpr or the second-to-last bug in sendmail (kill -HUP bug), due to it being more than a single binary to fix. However, the emotional shock of hearing that _every_ suid binary on your system is vulnerable should not be underestimated. I believe an announcement at once would have been a good move, even one only containing soothing mumbo-jumbo, summarised as "There is a problem; we know what it is, and we'll be back as soon as possible with a proper fix. This will take a little time, as we need to do it properly." Well, it is easy to be wise in hindsight. :) Eivind Eklund perhaps@yes.no http://maybe.yes.no/perhaps/