From owner-freebsd-security  Tue Jun 10 10:09:35 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id KAA17341
          for security-outgoing; Tue, 10 Jun 1997 10:09:35 -0700 (PDT)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id KAA17325
          for <freebsd-security@freebsd.org>; Tue, 10 Jun 1997 10:09:32 -0700 (PDT)
Received: from rover.village.org [127.0.0.1] 
	by rover.village.org with esmtp (Exim 1.60 #1)
	id 0wbUPM-0001GK-00; Tue, 10 Jun 1997 11:08:36 -0600
To: Matthias Buelow <token@wicx50.informatik.uni-wuerzburg.de>
Subject: Re: Security problem with FreeBSD 2.2.1 default installation 
Cc: ghelmer@cs.iastate.edu (Guy Helmer), freebsd-security@freebsd.org
In-reply-to: Your message of "Tue, 03 Jun 1997 18:51:42 +0200."
		<199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> 
References: <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de>  
Date: Tue, 10 Jun 1997 11:08:35 -0600
From: Warner Losh <imp@village.org>
Message-Id: <E0wbUPM-0001GK-00@rover.village.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> Matthias Buelow writes:
: I was already wondering when I freshly installed 2.1.5 half a year ago that
: sperl 4.x was still setuid (I remember that Perl's unsafety was already
: known at least when I was still running 2.1.0 and I also remember some old
: CERT advisories mentioning freebsd ages ago).  Since then it has become
: routine for me to chmod 0 sperl/setuidperl etc. and I'm really wondering
: how there could be people left who don't know of that ancient hole?  I mean,
: even some of my clueless Linux friends know about the sperl vulnerability. ;)

I'm pretty sure it wasn't that ancient hole, but rather a newer one
that was a buffer overflow.  The ancient hole was different and fixed,
if memory serves correctly.

Warner