From owner-freebsd-security Wed Jun 14 22:35:33 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id WAA25371 for security-outgoing; Wed, 14 Jun 1995 22:35:33 -0700 Received: from aries.ibms.sinica.edu.tw ([140.109.40.248]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id WAA25365 for ; Wed, 14 Jun 1995 22:35:31 -0700 Received: (from taob@localhost) by aries.ibms.sinica.edu.tw (8.6.11/8.6.9) id NAA03498; Thu, 15 Jun 1995 13:34:21 +0800 Date: Thu, 15 Jun 1995 13:34:21 +0800 (CST) From: Brian Tao To: ywliu@beta.wsl.sinica.edu.tw cc: security@freebsd.org Subject: Re: FreeBSD vulnerability in S/Key In-Reply-To: <199506150128.SAA14137@freefall.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Thu, 15 Jun 1995 ywliu@beta.wsl.sinica.edu.tw wrote: > > I am not familiar with S/Key, so my question is : I am using MD5 rather than > DES, is this relevent ? Am I supposed to patch my system ? Only if you use the S/Key one-time password system (which isn't enabled by default). If you don't know what S/Key is, then chances are your system isn't using them either. > Also, is this fixed in 2.0.5 ? Yes, it is: > FreeBSD current users: > ====================== > Update your /usr/src/lib/libskey sources and rebuild and > install libskey (both shared and non-shared versions). > > The vulnerability has been fixed with FreeBSD 2.0.5. -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org