From owner-freebsd-security Mon May 22 11: 3: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 6193C37BE96 for ; Mon, 22 May 2000 11:02:55 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id OAA35921; Mon, 22 May 2000 14:02:32 -0400 (EDT) (envelope-from cjc) Date: Mon, 22 May 2000 14:02:32 -0400 From: "Crist J. Clark" To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: The procfs Hole in 2.2.8-STABLE? Message-ID: <20000522140231.A35505@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> <200005220437.WAA92094@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200005220437.WAA92094@harmony.village.org>; from imp@village.org on Sun, May 21, 2000 at 10:37:11PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 21, 2000 at 10:37:11PM -0600, Warner Losh wrote: > In message <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> "Crist J. Clark" writes: > : Am I to take it that 2.2.8-STABLE would be vulnerable? The following > > Yes. There are many vulnerabilities that were fixed in 3.x that > haven't been back ported to 2.x. Most of the security advisories since things stopped being back-ported to 2.2.8 have been for ports. If I have the port, I remake a fixed version, use an alternative, or live without. As for things in the base system, the make vulnerability (FreeBSD-SA-00:01) doesn't really scare me on a mailserver. That seems to be the only base system one of any concequence in the advisories that has come up since they stopped getting back-ported to 2.2.8. Should I be concerned about these "many vulnerabilities?" Where are they documented? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message