Skip site navigation (1)Skip section navigation (2) 
Date:      Tue,  2 Dec 2003 17:20:41 +0100 (CET)
From:      Stephane Bortzmeyer <bortzmeyer@nic.fr>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        Stephane Bortzmeyer <bortzmeyer@nic.fr>
Subject:   ports/59905: The echoping port is wrongly flagged (security alert)
Message-ID:  <20031202162041.6EE1CFAA5@vespucci.nic.fr>
Resent-Message-ID: <200312021630.hB2GUO5G035029@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         59905
>Category:       ports
>Synopsis:       The echoping port is wrongly flagged (security alert)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 02 08:30:24 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Stephane Bortzmeyer
>Release:        FreeBSD 5.1-RELEASE i386
>Organization:
AFNICN
>Environment:
System: FreeBSD fetiche.sources.org 5.1-RELEASE FreeBSD 5.1-RELEASE #0: Thu Jun 5 02:55:42 GMT 2003 root@wv1u.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC i386
>Description:
When installling the echoping port, it says:    
  ===> SECURITY REPORT: This port has installed the following files
which may act as network servers and may therefore pose a remote
security risk to the system.  
/usr/local/bin/echoping
      If there are vulnerabilities in these programs there may be a
security risk to the system. FreeBSD makes no guarantee about the
security of ports included in the Ports Collection. Please type 'make
deinstall' to deinstall the port if this is a concern.
      For more information, and contact details about the security
status of this software, see the following webpage:
 http://echoping.sourceforge.net/

   But echoping is *not* a network server and never was. I wonder where
does this strange alert comes from. IMHO, since echoping:
  * is not and cannot be a network server,
  * is never setuid or set gid,
  it should not generate a security report.
>How-To-Repeat:
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031202162041.6EE1CFAA5>