From owner-freebsd-security Wed May 15 9:46: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 8FA1937B40A for ; Wed, 15 May 2002 09:45:57 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 1929D47; Wed, 15 May 2002 11:45:57 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.11.6) with ESMTP id g4FGjupd033477; Wed, 15 May 2002 11:45:56 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g4FGjtBk033476; Wed, 15 May 2002 11:45:55 -0500 (CDT) Date: Wed, 15 May 2002 11:45:55 -0500 From: "Jacques A. Vidrine" To: Brett Glass Cc: Makoto Matsushita , security@FreeBSD.org Subject: Re: Patch/Announcement for DHCPD remote root hole? Message-ID: <20020515164555.GA33357@madman.nectar.cc> References: <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org> <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org> <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, May 15, 2002 at 10:37:49AM -0600, Brett Glass wrote: > I think you misunderstood my message. Yes, the port is updated, > but the package is not. In fact, if you use /stand/sysinstall > to list the packages for 4.5-RELEASE on ftp.freebsd.org, you > see an entry for isc-dhcp3-3.0.1.r4, which is quite old. > > This is a major security problem. Users who install FreeBSD > (either over the Net or from a CD-ROM) and use /stand/sysinstall > to bring in the package (which the program encourages them to do!), > will instantly make their systems vulnerable. Whenever a port is > updated due to a security problem, the package on the FTP server > and mirrors should be rebuilt at the same time. Otherwise, every > new install -- even over the Net! -- is likely to be vulnerable. > This is not good for users, for the Net, or for FreeBSD's > reputation. Careless system administrators / consultants are an even bigger security problem. If you install 4.5-RELEASE, you get packages that were generated for 4.5-RELEASE. Surprise. Updated packages are here: ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.5-stable/All/ isc-dhcp3-3.0.1.r8_1.tgz This URL is listed as part of the Security Notice. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message