From owner-freebsd-security  Mon Jul  1 20: 5:15 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id A39A237B405; Mon,  1 Jul 2002 20:05:11 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id C108E43E26; Mon,  1 Jul 2002 20:05:10 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id VAA12696;
	Mon, 1 Jul 2002 21:04:55 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020701210053.0229c970@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Mon, 01 Jul 2002 21:04:50 -0600
To: "Jacques A. Vidrine" <nectar@FreeBSD.ORG>
From: Brett Glass <brett@lariat.org>
Subject: Re: resolv and dynamic linking to compat libc
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <20020701182234.GO8128@madman.nectar.cc>
References: <4.3.2.7.2.20020701120628.023147e0@localhost>
 <3D1AA5F2.9020305@ca.com>
 <3D1AA5F2.9020305@ca.com>
 <4.3.2.7.2.20020701120628.023147e0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 12:22 PM 7/1/2002, Jacques A. Vidrine wrote:

>Gee, I guess we better get cracking to take offline every previous
>version of libc, too --- which would mean every version of FreeBSD and
>who knows what else.

Alas, ethics demand that they be either taken offline or accompanied
with a clear, visible, and strong warning.

And if compatibility libraries are offered, then yes -- they
absolutely should be patched.

If you don't, you're distributing vulnerable software, which is
not ethical.

>How about you help out by enumerating every copy on the Internet,
>along with contact information for each?

As if you could take those down. But what you *CAN* do is take
down vulnerable software and/or accompany by an impossible-to-miss
warning. 

A snapshot of 4.6-STABLE should also be made and released as 4.6.1.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message