Date: Wed, 10 Jan 2001 20:19:26 -0500 (EST) From: Trevor Johnson <trevor@jpj.net> To: Jason DiCioccio <Jason.DiCioccio@Epylon.com> Cc: <security@freebsd.org>, Berend de Boer <berend@pobox.com> Subject: RE: CERT advisory: "Interbase Server Contains Compiled-in Back D oor Account" Message-ID: <Pine.BSI.4.30.0101102004020.20643-100000@blues.jpj.net> In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA024385@goofy.epylon.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
> Can any users of this package confirm if they actually knew about > this backdoor account? I don't see how a backdoor account accidently > makes its way into a database package like this. If this was > undocumented/unknown, I would have to assume it might have been > intentional from someone working on the project perhaps? I do not > use this database package, so I can't accuse anyone or any company of > this, but it's hard to imagine a 'backdoor account' making it's way > in the source otherwise. I guess we'll have to wait for a Borland > advisory. Hi, Jason. I'm not sure what you mean: that we should assume everything's fine and do nothing unless Borland also says there's a problem, or that you will just be curious about the origin of the problem until they explain it. FWIW the problem is also described at http://www.interbase2000.com/ (which apparently does not belong to Borland). The backdoor is not documented in the pkg-descr file for the port. If the port is not fixed or forbidden, and it has the backdoor, the fact should at least be documented there. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.30.0101102004020.20643-100000>