Date: Sat, 05 Apr 1997 00:34:16 -0500 From: "Gary Palmer" <gpalmer@freebsd.org> To: James FitzGibbon <james@nexis.net> Cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org Subject: Re: Another INND security hole. Message-ID: <10330.860218456@orion.webspan.net> In-Reply-To: Your message of "Fri, 04 Apr 1997 07:08:56 EST." <Pine.BSF.3.95q.970404070554.7035E-100000@nexis.net>
next in thread | previous in thread | raw e-mail | index | archive | help
James FitzGibbon wrote in message ID <Pine.BSF.3.95q.970404070554.7035E-100000@nexis.net>: > On Thu, 3 Apr 1997, Gary Palmer wrote: > > Hope I'm not out of line forwarding this before the CERT > > advisory... It's probably all over bugtraq already tho. > Two issues about this patch and it necessity on FreeBSD. Not > understanding INN myself, I noted that the you're not exposed unless you > run 'ucbmail'. Does that include FreeBSD ? There's no such binary on the > system. Is ucbmail the SVR4 version of our /usr/bin/mail, and if so, is > our one prone to the same faults ? No idea to be honest. However, the patch is recommended for all installations. The other thing is that it does NOT say `ucbmail', rather UCB mail, i.e. the UCB mailer distributed by UCB. (At least the WWW page says that. I don't have the advisory infront of me right now) > The other issue is that when you visit www.isc.org and try to get the > patch, it doesn't exist. Try again. It seems to have been regenrated. From the WWW page: A new security issue has come up that affects anyone using UCB Mail as the mailer defined in the config.data variable _PATH_MAILCMD. A patch has been created that is for all versions of INN and is available here. Note: The patch was originally released as security-patch.04, but has been regenerated as security-patch.05. You should apply this even if you don't use UCB mail. It is a patch to the same file (samples/parsecontrol) as the patches discussed below. If you are running a version of INN older than 1.5.1, then you must apply one of the patches discussed in Security Notice 1 before you can apply this patch.. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10330.860218456>