From owner-freebsd-security Tue Jun 3 03:25:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id DAA20421 for security-outgoing; Tue, 3 Jun 1997 03:25:33 -0700 (PDT) Received: from tangelo.lal.ufl.edu ([204.199.163.200]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id DAA20416 for ; Tue, 3 Jun 1997 03:25:30 -0700 (PDT) Received: from bates-dialup (204.199.163.191) by tangelo.lal.ufl.edu (EMWAC SMTPRS 0.81) with SMTP id ; Tue, 03 Jun 1997 06:28:57 -0400 Message-ID: From: "Brad Bates" To: "Michael Haro" Cc: Subject: Re: Security problem with FreeBSD 2.2.1 default installation Date: Tue, 3 Jun 1997 06:23:03 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Michael, First, you may want to check-in with the security mail group and keep this out of the question group. See the freebsd-security information on the Support page at the fbsd site nearest you. Also, most folks would prefer that any security hole, whether real or suspected, not be generally announced until it is dealt with -- if you identify a problem to the right folks they will fix it, and then announce the fix. This helps people with less resources keep their systems secure until the fixes are available, and keeps the less mature of those on the Internet (bad boys & girls) from finding out about something they may have overlooked. The security folks will let you know how to report it, and may want some very specific details. As for "holes" (bugs) in existing code, well, that's part of life. No system is 100% secure. If you get a chance, take a read of Practical UNIX & Internet Security by Garfinkel & Spafford, or some comparable book to learn more about that. Thanks for the information, and good luck cleaning up your system. bab ---------- > From: Michael Haro > To: freebsd-questions@FreeBSD.ORG > Cc: perl@netmug.org > Subject: Security problem with FreeBSD 2.2.1 default installation > Date: Monday, June 02, 1997 11:20 PM > > Hi, yesterday one of my users gained root access to my system. > They did it by exploiting a bug in /usr/bin/sperl4* > Why does FreeBSD ship with a security hole? Is this a new one that you didn't > know about? How can I remedy the problem? Right now, I deleted the file from > the server. I am new to FreeBSD and would like to know how to fix it. > > Thanks, > Michael perl@netmug.org