Date: Fri, 8 Aug 2003 12:42:44 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: freebsd-ports@freebsd.org Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: Ports scheduled for removal on Nov 7 Message-ID: <20030808124244.48aca148.Alexander@Leidinger.net> In-Reply-To: <20030808045334.GA97079@rot13.obsecurity.org> References: <20030808045334.GA97079@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Aug 2003 21:53:34 -0700 Kris Kennaway <kris@obsecurity.org> wrote: > The following ports are scheduled for removal on November 7 if they > are still broken at that time and no PRs have been submitted to fix > databases/firebird firebird-1.0.2 chris@aims.com.au > databases/firebird-devel firebird-1.0.r2 chris@aims.com.au I've marked them FORBIDDEN because of an posting on bugtraq. I've talked with the maintainer and he explained, that the developers focus on the development of the next version and don't seem to be interested in fixing this vulnerability. The description of the bug can be found at http://packetstormsecurity.nl/0305-exploits/dsr-adv001.txt. It's a getenv() overflow, so you need an account on the machine. As long as you are confident, that there's no possibility to exploit this flaw (e.g. dedicated DBS machine with no local accounts), there's no problem. Do we really need to remove it? If yes, is it ok to just print a big warning instead of marking it as forbidden? Bye, Alexander. -- The dark ages were caused by the Y1K problem. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030808124244.48aca148.Alexander>