From owner-freebsd-security Mon Feb 3 04:53:44 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA27177 for security-outgoing; Mon, 3 Feb 1997 04:53:44 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA27172 for ; Mon, 3 Feb 1997 04:53:42 -0800 (PST) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id EAA04953 for ; Mon, 3 Feb 1997 04:55:05 -0800 (PST) Received: (qmail 8354 invoked by uid 110); 3 Feb 1997 12:53:27 -0000 Message-ID: <19970203125327.8353.qmail@suburbia.net> Subject: Re: Critical Security Problem in 4.4BSD crt0 In-Reply-To: <199702031026.EAA19567@enteract.com> from "Thomas H. Ptacek" at "Feb 3, 97 04:25:39 am" To: tqbf@enteract.com Date: Mon, 3 Feb 1997 23:53:27 +1100 (EST) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I'm fairly certain that if Mr. Assange was aware (in August) of the crt0 > vulnerability, he'd have notified someone (as opposed to leaving vague > hints in unrelated messages). However, I obviously don't speak for him. Sometimes vauge hints in unrelated messages is all you get ;) I wasn't as close to the FreeBSD development process in August and by the time I got around to doing FreeBSD security reviews the problem had disappeared of its own accord. There are a signficant number of security fixes, including to libc about to enter the source base, dyson willing. OpenBSD's bombastically brandished claims about security should be viewed with a grain of salt [IMHO]. ______________________________________________________________________________ Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@iq.org |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery