Two possible vulnerabilities?

From: Mohacsi Janos (mohacsi_at_niif.hu)
Date: 07/01/04

  • Next message: Jos Hörchner: "wrong security branch name?"
    Date: Thu, 1 Jul 2004 15:28:41 +0200 (CEST)
    To: freebsd-security@freebsd.org
    
    

    Dear all,
              Browsing through the securityfocus vulnerability database I found
    two items, that might interesting for the FreeBSD community:
    1. GNU GNATS Syslog() Format String Vulnerability
    http://www.securityfocus.com/bid/10609

    GNATS is vital part of the PR handling of FreeBSD. I think security
    officers should contact developers of GNU GNATS about this issue to resolve
    the potential problem.

    2. gzip: Insecure creation of temporary files
    http://www.securityfocus.com/bid/10603
    In reality this affects only znew and gzexe only gzip version prior
    1.3.3-r4

    I am not quite sure about the whether this vulnerability exist in the
    current gzip 1.2.4, that is used in FreeBSD. According to the gzip page:
    http://www.gzip.org - new official version will be posted soon....

    Are there any plan to go forward gzip 1.3 ?

    Best Regards,

    Janos Mohacsi
    Network Engineer, Research Associate
    NIIF/HUNGARNET, HUNGARY
    Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Jos Hörchner: "wrong security branch name?"