From owner-freebsd-security Mon Jul 1 7:44: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2888A37B400 for ; Mon, 1 Jul 2002 07:44:00 -0700 (PDT) Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B44D43E2F for ; Mon, 1 Jul 2002 07:43:59 -0700 (PDT) (envelope-from d.m.pick@qmul.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.32 #1) id 17P2PE-0004ZB-00 for security@freebsd.org; Mon, 01 Jul 2002 15:43:56 +0100 Received: from localhost ([127.0.0.1] helo=xi.css.qmw.ac.uk) by xi.css.qmw.ac.uk with esmtp (Exim 3.34 #1) id 17P2Ol-0002Jf-00 for security@freebsd.org; Mon, 01 Jul 2002 15:43:27 +0100 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: security@freebsd.org Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. In-reply-to: Your message of "01 Jul 2002 16:01:34 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 01 Jul 2002 15:43:27 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 01 Jul 2002 16:01:34 +0200, Dag-Erling Smorgrav wrote: > Chris Johnson writes: > > On Mon, Jul 01, 2002 at 03:23:59PM +0200, Dag-Erling Smorgrav wrote: > > > Darren Reed writes: > > > > With OpenSSH 3.4, ssh-keysign gets installed setuid-root. > > > Not in FreeBSD. > > Are you sure? > > I don't care about the port. Personally, I'd rather it didn't exist, > and I think admins who install it need to have their head checked. At least the port can be built and installed without having to have large amounts of system source installed on the limited amount of hard disc available on a laptop with multiple OSs installed. Of course, a binary system update can be installed even more easily without *any* source but we don't have any such available. At least we can build a binary update "package" for the "ports" version using a simple "make package"; it's harder for the version integrated into the base. The previous SA (SA-02:13) on OpenSSH 2.9 as included in the base included instructions for building a corrected version with the minimum amount of compilation and minimum amount of source installed but didn't include any help on just how much source *was* the minimum amount. And you had to extract parts of (IIRC) three of the "source" distributions. This is even more true for the recent resolver problems... Please note that I have *not* asked for a binary update. I don't want to get flamed the way Brett does... -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message