From owner-freebsd-security Mon Sep 4 22:29:14 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.freebsd.org (8.6.11/8.6.6) id WAA01530 for security-outgoing; Mon, 4 Sep 1995 22:29:14 -0700 Received: from who.cdrom.com (who.cdrom.com [192.216.222.3]) by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id WAA01497 for ; Mon, 4 Sep 1995 22:29:11 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by who.cdrom.com (8.6.11/8.6.11) with ESMTP id TAA15837 for ; Mon, 4 Sep 1995 19:33:12 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.12/8.6.12) with SMTP id TAA00530; Mon, 4 Sep 1995 19:30:11 -0700 Message-Id: <199509050230.TAA00530@precipice.shockwave.com> To: peter@haywire.dialix.com (Peter Wemm) cc: freebsd-security@FreeBSD.org Subject: Re: syslog patches? In-reply-to: Your message of "04 Sep 1995 17:11:42 +0800." <42efse$fts$1@haywire.DIALix.COM> Date: Mon, 04 Sep 1995 19:30:10 -0700 From: Paul Traina Sender: security-owner@FreeBSD.org Precedence: bulk From: peter@haywire.dialix.com (Peter Wemm) Subject: Re: syslog patches? guido@spooky.lss.cp.philips.com (Guido van Rooij) writes: >After the intial posting of Paul Traina's modified syslog I haven't >seen a new attempt yet. I did see a NetBSD solution to the problem >though. My question: is theer any syslog.c that can be incorporated >in the source tree and to 2.1.0? >-Guido Not trying to offend Paul Traina, but I'd prefer to take Eric Allman's one and apply the necessary bandaids to it. You won't offend me. But whatever the case, something *has* to go in, because if we ship 2.1 with the buggy version, because of the identical binaries on each system, somebody *will* calculate the offsets and the code to subvert 2.1R. Absolutely. If going with Paul Traina's version is what it takes to get it fixed, I'll gladly put aside my slight preference for Eric's version. I don't care one way or another, however I would prefer the more paranoid version in any case. Eric's certainly had enough sendmail related bugs in the past that I would actually prefer to go with a version that NOT everyone is going to pound on.