Date: Mon, 13 Nov 2000 22:11:30 -0800 From: Kris Kennaway <kris@FreeBSD.ORG> To: Trevor Johnson <trevor@jpj.net> Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:68.ncurses Message-ID: <20001113221129.A15599@citusc17.usc.edu> In-Reply-To: <Pine.BSI.4.21.0011132242190.15575-100000@blues.jpj.net>; from trevor@jpj.net on Mon, Nov 13, 2000 at 10:56:55PM -0500 References: <20001113235453.B39D637B479@hub.freebsd.org> <Pine.BSI.4.21.0011132242190.15575-100000@blues.jpj.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 13, 2000 at 10:56:55PM -0500, Trevor Johnson wrote: > This advisory would be better with a little more information: >=20 > - it doesn't mention that systems with telnetd linked against a vulnerable > version of ncurses are susceptible to a remote DoS that doesn't require > the attacker to remain connected (described to me by Esa Etelavuori > <eetelavu@cc.hut.fi> and confirmed on my 4.1.1-R and 5.0-S systems). This is a separate advisory under preparation, since it's really a separate problem. > - it doesn't mention that the devel/ncurses port, until 2000-11-10, > installed a reportedly vulnerable version of the library. Oops, that was an oversight. > - it doesn't mention the report by venglin <venglin@freebsd.lublin.pl> of > problems with 3.x (http://www.securityfocus.com/advisories/2269). I haven't been able to confirm it (and fixing it in 3.x is going to be something of a pain) - I haven't got any 3.x machines to test on. Actually I had something in a previous revision of the advisory which contained stronger language but I toned it down and unintentionally made it sound like we didn't know the problem had been reported. I'll probably update this tomorrow..thanks for the feedback. Kris --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoQ15EACgkQWry0BWjoQKXhRQCdGcw69BAKVYsuTefxlnLTI8nI d7AAn3M7hU0VolNbgDsjoh/HXomrtJzl =xx6c -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001113221129.A15599>