From owner-freebsd-security Mon Aug 27 13:48:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id C98C437B407; Mon, 27 Aug 2001 13:48:08 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f7RKm5k67160; Mon, 27 Aug 2001 16:48:05 -0400 (EDT) (envelope-from str) From: Igor Roshchin Message-Id: <200108272048.f7RKm5k67160@giganda.komkon.org> Subject: Re: procmail, squid: any takers? To: n@nectar.com (Jacques A. Vidrine) Date: Mon, 27 Aug 2001 16:48:05 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG In-Reply-To: <20010827081503.F70454@madman.nectar.com> from "Jacques A. Vidrine" at Aug 27, 2001 08:15:03 AM X-Mailer: ELM [version 2.5 PL5] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > On Mon, Aug 27, 2001 at 05:06:45PM +0400, Nickolay A.Kritsky wrote: > > I am not sure that I understood you correctly. Do you mean that squid > > and procmail ports have some unpatched bugs? > > Oops, I brain-o'd the To: line. > > No, the squid and procmail had bugs that have been patched, but for > which we have not yet issued advisories. > > Sorry for the confusion, > -- > Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org > Disclaimer: I am not trying to bash anybody here, and I might not have all information available. Upon a quick look at ftp.freebsd.org/pub/FreeBSD/branches/-current/ports/mail/procmail it appears that the last changes to procmail were done on Jun 30 (It looks like the version of the procmail was updated). So, if according to Jacques, some bug was recently patched, it was probably done by the authors of procmail. (As a matter of fact, procmail does list those fixes at http://www.procmail.org/ and http://www.procmail.org/procmail.HISTORY.html ) I was not able to find any FreeBSD advisory issued on that part, It seems to be a rather long delay for an advisory, especially the one for the problem fixed by the vendor. (I admit, I am not sure how serious/exploitable this problem is) I am not sure about squid port, there are too many variations of that port, and in any case, I don't think researching of that makes any sense. The main point is that with the trust of the FreeBSD users to the FreeBSD core-team and security-officer(s) in particular, developed over the years of great work of FreeBSD team, people rely [well, maybe sometimes somewhat reluctantly] on the FreeBSD advisories, and their timely appearance. Regards, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message