From owner-freebsd-security Mon Jul 1 11:22:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A53C37B405 for ; Mon, 1 Jul 2002 11:22:38 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 694D143E13 for ; Mon, 1 Jul 2002 11:22:37 -0700 (PDT) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id D9C1A34; Mon, 1 Jul 2002 13:22:36 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g61IMZ4N009401; Mon, 1 Jul 2002 13:22:35 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g61IMZe9009400; Mon, 1 Jul 2002 13:22:35 -0500 (CDT) Date: Mon, 1 Jul 2002 13:22:34 -0500 From: "Jacques A. Vidrine" To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: resolv and dynamic linking to compat libc Message-ID: <20020701182234.GO8128@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Brett Glass , freebsd-security@FreeBSD.ORG References: <3D1AA5F2.9020305@ca.com> <3D1AA5F2.9020305@ca.com> <4.3.2.7.2.20020701120628.023147e0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020701120628.023147e0@localhost> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 01, 2002 at 12:14:00PM -0600, Brett Glass wrote: > At 11:53 AM 7/1/2002, Jacques A. Vidrine wrote: > > >No, I'm afraid not. libc.so.3 will not be rebuilt in the usual sense > >of the word, thus leaving binaries that link against it vulnerable. > > In that case, has the binary package including it been taken offline? No. > It's unethical to leave it where it might be downloaded. Gee, I guess we better get cracking to take offline every previous version of libc, too --- which would mean every version of FreeBSD and who knows what else. Hmm, and any applications that may have been statically linked with any of them. How about you help out by enumerating every copy on the Internet, along with contact information for each? That would be much appreciated. Thanks. -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message