From owner-freebsd-security Tue Jun 3 09:52:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA09015 for security-outgoing; Tue, 3 Jun 1997 09:52:17 -0700 (PDT) Received: from wrzx07.rz.uni-wuerzburg.de (wrzx07.rz.uni-wuerzburg.de [132.187.1.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA09010 for ; Tue, 3 Jun 1997 09:52:13 -0700 (PDT) Received: from wicx50.informatik.uni-wuerzburg.de (mail@wicx50.informatik.uni-wuerzburg.de [132.187.9.50]) by wrzx07.rz.uni-wuerzburg.de (8.8.5/8.8.5) with SMTP id SAA19264; Tue, 3 Jun 1997 18:51:58 +0200 (MET DST) Received: by wicx50.informatik.uni-wuerzburg.de (8.6.12/uniwue-C-3.1a (CIP Gate)) id SAA08997; Tue, 3 Jun 1997 18:51:57 +0200 Received: from tahiti(132.187.9.20) by cipgate via smap (V1.3) id sma008991; Tue Jun 3 18:51:42 1997 Received: by wicx20.informatik.uni-wuerzburg.de (8.8.5/uniwue-C-3.1 (C)) id SAA24768; Tue, 3 Jun 1997 18:51:42 +0200 From: Matthias Buelow Message-Id: <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> Subject: Re: Security problem with FreeBSD 2.2.1 default installation To: ghelmer@cs.iastate.edu (Guy Helmer) Date: Tue, 3 Jun 1997 18:51:42 +0200 (MET DST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Guy Helmer" at Jun 3, 97 10:44:33 am Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > I just checked the bugtraq archives and found an exploit for sperl4.036 > and sperl 5.00x on FreeBSD was posted April 21! > > I guess no one watches bugtraq?!? I was already wondering when I freshly installed 2.1.5 half a year ago that sperl 4.x was still setuid (I remember that Perl's unsafety was already known at least when I was still running 2.1.0 and I also remember some old CERT advisories mentioning freebsd ages ago). Since then it has become routine for me to chmod 0 sperl/setuidperl etc. and I'm really wondering how there could be people left who don't know of that ancient hole? I mean, even some of my clueless Linux friends know about the sperl vulnerability. ;)