From owner-freebsd-security Mon May 13 4: 5:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from svr-ganmtc-appserv-mgmt.ncf.coxexpress.com (svr-ganmtc-appserv-mgmt.ncf.coxexpress.com [24.136.46.5]) by hub.freebsd.org (Postfix) with ESMTP id 9E3A037B400 for ; Mon, 13 May 2002 04:05:22 -0700 (PDT) Received: from darkstar.doublethink.cx (cpe-oca-24-136-59-202-cmcpe.ncf.coxexpress.com [24.136.59.202]) by svr-ganmtc-appserv-mgmt.ncf.coxexpress.com (8.11.4/8.11.4) with ESMTP id g4DB5L729922; Mon, 13 May 2002 07:05:21 -0400 Received: by darkstar.doublethink.cx (Postfix, from userid 1000) id DF323479; Mon, 13 May 2002 07:05:20 -0400 (EDT) Date: Mon, 13 May 2002 07:05:20 -0400 From: Chris Faulhaber To: "Carroll, D. (Danny)" Cc: security@freebsd.org Subject: Re: DHCPD bug Message-ID: <20020513110520.GA21996@darkstar.doublethink.cx> References: <6C506EA550443D44A061432F1E92EA4C012DBA@ing.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp" Content-Disposition: inline In-Reply-To: <6C506EA550443D44A061432F1E92EA4C012DBA@ing.com> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 13, 2002 at 09:18:59AM +0200, Carroll, D. (Danny) wrote: > As a little aside, whilst reading the CERT advisory I noticed that > NetBSD is not vulernable because: "NetBSD fixed this during a format > string sweep performed on 11-Oct-2000. No released version of NetBSD is > vulnerable to this issue." >=20 > Nice and prudent. Is there any reason why this would be difficult to do > in the FreeBSD source / Ports source?? >=20 Numerous developers have performed audits on much of the base system along with bringing in fixes from NetBSD, OpenBSD, and other parts of the open-source community. As for the ports tree, with over 6000 independently-written applications, finding (or funding) developers to perform a full-scale audit may be a bit difficult. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjzfnfAACgkQObaG4P6BelBaaQCgmKu1yrixhq9qGOuWSSBUSD7e dzcAniGpJZD8/0uKFt6TuEi0kiSsil7U =atRe -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message