Date: Fri, 29 Aug 1997 19:26:39 +0200 (MET DST) From: Eivind Eklund <perhaps@yes.no> To: freebsd-hackers@FreeBSD.ORG Subject: Re: A disturbing discovery Message-ID: <199708291726.TAA01529@bitbox.follo.net> In-Reply-To: j@uriah.heep.sax.de's message of Fri, 29 Aug 1997 08:08:15 %2B0200 References: <Pine.GSO.3.96.970828223602.3963B-100000@echonyc.com> <199708290315.FAA06905@bitbox.follo.net> <19970829080815.WY53612@uriah.heep.sax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
[J. Wunsch] > > As Eivind Eklund wrote: > > > > When I made world the other day, it installed sperl4.036 -- isn't that > > > known to be insecure? > > > > Warner <imp@freebsd.org> fixed this, AFAIK. It was unsecure, but > > nothing that is known to be insecure is shipped. > > That's not quite right. There was one more fix, and all FreeBSD > versions that have been shipped went out with a version with a buffer > overflow. Try an overly long identifier (> 256 chars) to see the > problem. What I meant was that we don't knowingly release or keep around anything with root-exploits in them. I'll admit that we still ship old versions with bugs, though. I'd really like to set up a system for automatically distributing signed binary patches to allow everybody to stay as secure as we can make them, but haven't had the time/energy yet (and there are other problems that probably are more pressing). Eivind.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708291726.TAA01529>