Date: Thu, 08 Nov 2001 10:10:15 -0700 (MST) From: David Bear <David.Bear@asu.edu> To: FreeBSD Security List <freebsd-security@freebsd.org> Subject: Re: Fw: Buffer overflow in lpd? Message-ID: <Pine.LNX.4.33.0111081008110.26286-100000@moroni.pp.asu.edu> In-Reply-To: <20011108153916.A67725@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 8 Nov 2001, Peter Pentchev wrote: > Date: Thu, 08 Nov 2001 15:39:16 +0200 > On Thu, Nov 08, 2001 at 07:29:17AM -0600, Kevin & Anita Kinsey wrote: > > from http://icat.nist.gov/icat.cfm?cvename=CAN-2001-0670 : > > > > "Buffer overflow in BSD line printer daemon (in.lpd or lpd) in various BSD-based operating systems allows remote attackers to execute arbitrary code via an incomplete print job followed by a request to display the printer queue." > > > > Was this fixed prior to 4.4-REL? Date on site is "prior to 10/3/2001." REL was Sept, correct? > > All the information is there at the FreeBSD Project website. > Go to http://www.FreeBSD.org/, follow the Security link, follow > the Security Advisories link, there is a list of advisories. > SA-01:58 is labeled as 'FreeBSD-SA-01:58.lpd', suggesting that > it has something to do with, well, lpd :) > > This advisory lists a correction date of 2001-08-30 (FreeBSD 4.3-STABLE) > and states that "[the] base system that will ship with FreeBSD 4.4 does > not contain this problem since it was corrected before the release". > As a side note, it is also curious that if 4.4-RELEASE LPRng was NOT included in the ports directory. /usr/ports make search key=lprng only found ifhp -- the lprng filter. Anyone know why lprng (the supposedly more secure lpr) was not included in the ports dist? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0111081008110.26286-100000>