From owner-freebsd-security  Wed Jun 14 20:32:07 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id UAA18080
          for security-outgoing; Wed, 14 Jun 1995 20:32:07 -0700
Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id UAA18074
          for <security@freebsd.org>; Wed, 14 Jun 1995 20:32:04 -0700
Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id UAA02199; Wed, 14 Jun 1995 20:26:16 -0700
From: "Rodney W. Grimes" <rgrimes@gndrsh.aac.dev.com>
Message-Id: <199506150326.UAA02199@gndrsh.aac.dev.com>
Subject: Re: FreeBSD vulnerability in S/Key
To: ywliu@beta.wsl.sinica.edu.tw
Date: Wed, 14 Jun 1995 20:26:16 -0700 (PDT)
Cc: security@freebsd.org
In-Reply-To: <199506150128.SAA14137@freefall.cdrom.com> from "ywliu@beta.wsl.sinica.edu.tw" at Jun 15, 95 09:23:24 am
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 1144      
Sender: security-owner@freebsd.org
Precedence: bulk

> 
> Hi, 
> 
> I read the following on comp.security.announce
> 
> >CERT Vendor-Initiated Bulletin VB-95:04
> >June 14, 1995
> >
> >Topic:  Logdaemon/FreeBSD vulnerability in S/Key
> >Source: Wietse Venema (wietse@wzv.win.tue.nl)
> >
> >A vulnerability exists in my own S/Key software enhancements.  Since
> >these enhancements are in wide-spread use, a public announcement is 
> >appropriate.  The vulnerability affects the following products:
> >
> >        FreeBSD version 1.1.5.1
> >        FreeBSD version 2.0
> >        logdaemon versions before 4.9
> 
> I am not familiar with S/Key, so my question is : I am using MD5 rather than
> DES, is this relevent ?

No, that is not relevant, is what is relevant is if you are using S/Key
(ie you have an /etc/skeykeys file) you should do what the CERT advisory
tells you to do.

> Am I supposed to patch my system ?

Propably not, since you don't know what skey is you are probably not
using it.

> 
> Also, is this fixed in 2.0.5 ?

Yes.


-- 
Rod Grimes                                      rgrimes@gndrsh.aac.dev.com
Accurate Automation Company                   Custom computers for FreeBSD