Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 05 Feb 1997 13:34:18 -0800
From:      David Greenman <dg@root.com>
To:        tqbf@enteract.com
Cc:        karl@mcs.net, freebsd-security@freebsd.org
Subject:   Re: 2.1.6+++: crt0.c CRITICAL CHANGE 
Message-ID:  <199702052134.NAA11176@root.com>
In-Reply-To: Your message of "05 Feb 1997 19:03:33 GMT." <19970205190333.11804.qmail@char-star.rdist.org> 

next in thread | previous in thread | raw e-mail | index | archive | help
>>Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one
>>week.  Either this gets fixed or the world knows how to break in.
>
>I'm not concerned about the "fix" for the problem in question, since
>they're already out there (just remove locale processing altogether). I'm
>concerned that the FreeBSD project is not going to inform their users of
>this problem. This is, in my opinion, probably the most severe problem
>with FreeBSD that has been brought to public attention. 
>
>An advisory for this problem needs to be released immediately. The FreeBSD
>project needs to come to grips with the fact that there are many, many
>people who won't act on a problem until CERT releases an advisory. Until
>that happens, people will remain vulnerable to the problem, regardless of
>how much effort goes into finding "the right fix".
>
>I'll repeat myself, again: everyone that you should be worried about
>having exploit details to this problem ALREADY DOES. People are being
>broken into with this as we speak. There's a vast amount of 2.1 systems
>out there, and those 2.1 systems are on networks with other systems, and
>their vulnerabilites are going to seed the comprimise of entire networks.
>
>This is not good.
>
>Please, please, please alert the public (and the incident response teams)
>about this problem. 

   The problem is fixed in all of our source branches by removing the support
for PATH_LOCALE. It was there only as a debugging aid in the first place.
An announcement including a proper patch for the problem is being worked on.
It's taken much longer to put together an accurate announcement because of
uncertainties about just exactly which versions are effected and just exactly
how. It's not as simple as you might first think and we don't won't to
provide dis-information to the public about this problem.

-DG

David Greenman
Core-team/Principal Architect, The FreeBSD Project



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702052134.NAA11176>