From owner-freebsd-security@FreeBSD.ORG Wed Dec 29 19:32:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 675B916A554 for ; Wed, 29 Dec 2004 19:32:28 +0000 (GMT) Received: from daemon.li (daemon.li [213.203.244.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id C599243D49 for ; Wed, 29 Dec 2004 19:32:27 +0000 (GMT) (envelope-from josef@daemon.li) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by daemon.li with local; Wed, 29 Dec 2004 19:32:26 +0000 Date: Wed, 29 Dec 2004 19:32:26 +0000 From: Josef El-Rayes To: "Peter C. Lai" Message-ID: <20041229193226.GA11252@daemon.li> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> <20041229185332.GL24545@cowbert.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=_daemon.li-11335-1104348746-0001-2" Content-Disposition: inline In-Reply-To: <20041229185332.GL24545@cowbert.net> User-Agent: Mutt/1.3.28i cc: freebsd-security@freebsd.org cc: Julian Elischer cc: estover@nativenerds.com Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 19:32:28 -0000 This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_daemon.li-11335-1104348746-0001-2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable "Peter C. Lai" : > On Mon, Dec 27, 2004 at 06:18:30PM -0800, Julian Elischer wrote: > > might be a good idea if we "urged" users to update their phpbb a bit= =20 > > more vocally. >=20 > Or if someone had been vigilant enough to add a vuxml entry about it back > in November. Waiting >30 days to update the database that portaudit uses > is a bit longish, don't you think? The "urging" to which you refer is > already one of the services provided by portaudit. first of all, if you run a machine you care about, you should think twice before installing a software which has a bad security track as phpBB has. secondly, most of the time we do not know security issue any earlier then they get posted to bugtraq or similiar mailinglists, so why dont you track these lists yourself? sometimes we are quick on documenting security issues, sometimes we are not, but instead of complaining you should help out, if you want to improve this. you can also give me some money as additional motivation, so i dont need to go working but sit at home and improve this. greets, josef --=20 Josef El-Rayes (__) Email: josef@daemon.li \\\'',)=20 Web: http://daemon.li/ \/ \ ^ FreeBSD Security Team .\._/_) --=_daemon.li-11335-1104348746-0001-2 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iQEVAwUBQdMGSVnFItmnnbU8AQK4FQf+N3xaglN+JWMcfuX6aEGhpy6SPH8kvteg pfb42ScshM4nW7gHRZ0fq7jpWq0lYdbO7YBcKYPZPzfWTBi7Jtcc7/yE9i1s3fB2 dqa5ZjEmYNzHVBupKxJRMGlkQvcAKwzjPce/kRMVyEvsSVWdZ63hhXyy3p3BOi27 CUe5OW+vtt61wU2jDxYvnruwZbA5Q54nR/tq3JqG7mH5BHtFnuET+YOL5/Inof8H Y8Kc/ImDo4SCNoW/Fs+RIB/PCWg82yIEwQ10lgo2Ghl7Qppr7l1TXNKo9aBZLBDz WGcLHtceNK2UaewxYp7XFXvrpqxz7beCMToeltjYjwc0fJ8qJ65uVA== =bxLV -----END PGP SIGNATURE----- --=_daemon.li-11335-1104348746-0001-2--