From owner-freebsd-hackers Fri Aug 29 10:26:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA15956 for hackers-outgoing; Fri, 29 Aug 1997 10:26:46 -0700 (PDT) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA15946 for ; Fri, 29 Aug 1997 10:26:42 -0700 (PDT) Received: (from eivind@localhost) by bitbox.follo.net (8.8.6/8.8.6) id TAA01529; Fri, 29 Aug 1997 19:26:39 +0200 (MET DST) Date: Fri, 29 Aug 1997 19:26:39 +0200 (MET DST) Message-Id: <199708291726.TAA01529@bitbox.follo.net> From: Eivind Eklund To: freebsd-hackers@FreeBSD.ORG In-reply-to: j@uriah.heep.sax.de's message of Fri, 29 Aug 1997 08:08:15 +0200 Subject: Re: A disturbing discovery References: <199708290315.FAA06905@bitbox.follo.net> <19970829080815.WY53612@uriah.heep.sax.de> Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk [J. Wunsch] > > As Eivind Eklund wrote: > > > > When I made world the other day, it installed sperl4.036 -- isn't that > > > known to be insecure? > > > > Warner fixed this, AFAIK. It was unsecure, but > > nothing that is known to be insecure is shipped. > > That's not quite right. There was one more fix, and all FreeBSD > versions that have been shipped went out with a version with a buffer > overflow. Try an overly long identifier (> 256 chars) to see the > problem. What I meant was that we don't knowingly release or keep around anything with root-exploits in them. I'll admit that we still ship old versions with bugs, though. I'd really like to set up a system for automatically distributing signed binary patches to allow everybody to stay as secure as we can make them, but haven't had the time/energy yet (and there are other problems that probably are more pressing). Eivind.