From owner-freebsd-questions Fri Feb 7 09:04:09 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA06728 for questions-outgoing; Fri, 7 Feb 1997 09:04:09 -0800 (PST) Received: from seabass.progroup.com (catfish.progroup.com [206.24.122.2]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA06713 for ; Fri, 7 Feb 1997 09:04:00 -0800 (PST) Received: from seabass.progroup.com (seabass.progroup.com [206.24.122.1]) by seabass.progroup.com (8.7.5/8.7.3) with SMTP id JAA24863; Fri, 7 Feb 1997 09:02:30 -0800 (PST) Message-ID: <32FB6026.52BFA1D7@progroup.com> Date: Fri, 07 Feb 1997 09:02:30 -0800 From: Craig Shaver Organization: Productivity Group, Inc. X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 2.1.5-RELEASE i386) MIME-Version: 1.0 To: Pbl CC: questions@freebsd.org Subject: Re: Headache about Release References: <32FB3E4C.2781E494@dorotech.fr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Pbl wrote: > > First, sorry for my incorrect english. > > Yesterday morning, I was happy :). I bought my 2.1.6 walnut creek cdrom (there > is some delay between France and the U.S.) and plan to upgrade my system. > > Yesterday evening, I was sad :(. I have read from questions mailing list that > due to some security problems 2.1.6 will be replaced by 2.1.7. > > What's sort of problems (kernel, TCP/IP, commands) ?? > >From what I know, I believe you will be vulnerable if you are connected to the internet and allow logins of untrusted users. There is a bug in the setlocale() code used in crt0.o, which is compiled into all executables, that can be used to core dump a setuid program and gain root access. It sounds like you have some control over your users, and they can be trusted. Make sure they are using good passwords; run crack. -- Craig Shaver (craig@progroup.com) (415)390-0654 Productivity Group POB 60458 Sunnyvale, CA 94088