From owner-freebsd-security  Wed May 15  9:38:32 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [63.229.157.2])
	by hub.freebsd.org (Postfix) with ESMTP id 979A137B400
	for <security@FreeBSD.org>; Wed, 15 May 2002 09:38:25 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id KAA16926;
	Wed, 15 May 2002 10:37:57 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org>
X-Sender: brett@nospam.lariat.org
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 15 May 2002 10:37:49 -0600
To: Makoto Matsushita <matusita@jp.FreeBSD.org>
From: Brett Glass <brett@lariat.org>
Subject: Re: Patch/Announcement for DHCPD remote root hole?
Cc: security@FreeBSD.org
In-Reply-To: <20020515105453K.matusita@jp.FreeBSD.org>
References: <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org>
 <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I think you misunderstood my message. Yes, the port is updated,
but the package is not. In fact, if you use /stand/sysinstall
to list the packages for 4.5-RELEASE on ftp.freebsd.org, you
see an entry for isc-dhcp3-3.0.1.r4, which is quite old.

This is a major security problem. Users who install FreeBSD 
(either over the Net or from a CD-ROM) and use /stand/sysinstall 
to bring in the package (which the program encourages them to do!), 
will instantly make their systems vulnerable. Whenever a port is
updated due to a security problem, the package on the FTP server
and mirrors should be rebuilt at the same time. Otherwise, every
new install -- even over the Net! -- is likely to be vulnerable.
This is not good for users, for the Net, or for FreeBSD's reputation.

--Brett


At 07:54 PM 5/14/2002, Makoto Matsushita wrote:
  

>brett> Are a patch and an announcement for the ISC DHCPD format string
>brett> vulnerability/remote root hole imminent?
>
>>From FreeBSD-SN-02:02:
>
>> Port name:      isc-dhcp3
>> Affected:       versions < dhcp-3.0.1.r8_1
>> Status:         Fixed
>> Format string vulnerability when logging DNS-update request transactions.
>> <URL:http://www.cert.org/advisories/CA-2002-12.html>
>> <URL:http://www.ngsec.com/docs/advisories/NGSEC-2002-2.txt>
>
>Is it what you want?  ports/net/isc-dhcp3 is already fixed, updating
>to dhcp-3.0.1.r9.
>
>-- -
>Makoto `MAR' Matsushita


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message