From owner-freebsd-security  Mon Sep  4 22:29:14 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.freebsd.org (8.6.11/8.6.6) id WAA01530
          for security-outgoing; Mon, 4 Sep 1995 22:29:14 -0700
Received: from who.cdrom.com (who.cdrom.com [192.216.222.3])
          by freefall.freebsd.org (8.6.11/8.6.6) with ESMTP id WAA01497
          for <freebsd-security@FreeBSD.org>; Mon, 4 Sep 1995 22:29:11 -0700
Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33])
          by who.cdrom.com (8.6.11/8.6.11) with ESMTP id TAA15837
          for <freebsd-security@freebsd.org>; Mon, 4 Sep 1995 19:33:12 -0700
Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.12/8.6.12) with SMTP id TAA00530; Mon, 4 Sep 1995 19:30:11 -0700
Message-Id: <199509050230.TAA00530@precipice.shockwave.com>
To: peter@haywire.dialix.com (Peter Wemm)
cc: freebsd-security@FreeBSD.org
Subject: Re: syslog patches? 
In-reply-to: Your message of "04 Sep 1995 17:11:42 +0800."
             <42efse$fts$1@haywire.DIALix.COM> 
Date: Mon, 04 Sep 1995 19:30:10 -0700
From: Paul Traina <pst@shockwave.com>
Sender: security-owner@FreeBSD.org
Precedence: bulk


  From: peter@haywire.dialix.com (Peter Wemm)
  Subject: Re: syslog patches?
  guido@spooky.lss.cp.philips.com (Guido van Rooij) writes:
  
  >After the intial posting of Paul Traina's modified syslog I haven't
  >seen a new attempt yet. I did see a NetBSD solution to the problem
  >though. My question: is theer any syslog.c that can be incorporated
  >in the source tree and to 2.1.0?
  
  >-Guido
  
  Not trying to offend Paul Traina, but I'd prefer to take Eric Allman's
  one and apply the necessary bandaids to it.

You won't offend me.
  
  But whatever the case, something *has* to go in, because if we ship
  2.1 with the buggy version, because of the identical binaries on each
  system, somebody *will* calculate the offsets and the code to subvert
  2.1R. 

Absolutely.
  
  If going with Paul Traina's version is what it takes to get it fixed,
  I'll gladly put aside my slight preference for Eric's version.

I don't care one way or another, however I would prefer the more paranoid
version in any case.  Eric's certainly had enough sendmail related bugs in
the past that I would actually prefer to go with a version that NOT everyone
is going to pound on.