From owner-freebsd-security Tue Oct 24 08:51:58 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id IAA18524 for security-outgoing; Tue, 24 Oct 1995 08:51:58 -0700 Received: from vhf.dataradio.com (G496.InterLink.NET [198.168.61.62]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id IAA18517 for ; Tue, 24 Oct 1995 08:51:50 -0700 Received: (from root@localhost) by vhf.dataradio.com (8.6.9/8.6.12) id LAA28650; Tue, 24 Oct 1995 11:51:28 -0400 Date: Tue, 24 Oct 1995 11:51:27 -0400 (EDT) From: Dataradio sysadmin To: "David A. Borman" cc: davidg@Root.COM, hartmans@mit.edu, security@freebsd.org Subject: Re: telnetd fix In-Reply-To: <9510241523.AA05306@frenzy.cray.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk On Tue, 24 Oct 1995, David A. Borman wrote: > > > Hi; I've been thinking about the telnetd security patch that was recently > > sent out. I've been watching the list of "vulnerable" environment variables > > grow daily...I really think that excluding certain environment variables is the > > wrong approach to solving the problem. I think it is is much wiser to do an [snip] Have I missed something here? Why not just compile telnetd / login as a statically linked programs, and voila, no worry about possibly switching libc under their noses. ----- Andrew Webster DATARADIO, Inc. Network Manager http://www.dataradio.com Special Projects awebster@dataradio.com