Re: multiple vulnerabilities in the cvs server code

From: Dmitry Pryanishnikov (dmitry_at_atlantis.dp.ua)
Date: 09/14/04

  • Next message: Dan Langille: "Re: Kerberos 5 Security Alert?" 
    Date: Tue, 14 Sep 2004 16:37:10 +0300 (EEST)
To: Volker Stolz <vs@freebsd.org>

    Hello!

    On Tue, 14 Sep 2004, Volker Stolz wrote:
    >> Type of problem: multiple vulnerabilities in the cvs server code.
    >> 1) What are current plans to fix these vulnerabilities?
    >
    > The related security advisory [SA] was already published in May:
    > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.asc
    > (SAs are available from the project's front page).

      As I read in this SA, this vulnerability was fixed on 2004-05-20, before
    4.10 was released, so 4.10-RELEASE isn't vulnerable, right? But portaudit
    still complains about FreeBSD-491000. Probably, wrong check in auditfile?
    Also, it would be nice if such an advisories advance kern.osreldate,
    so auditfile could check this automatically; e.g., I have 4.9-RELEASE-p11,
    which isn't vulnerable to this problem, but kern.osreldate is still 490000
    there. If Security Officer bumps src/sys/conf/newvers.sh, why he doesn't bump
    src/sys/sys/param.h?

    Sincerely, Dmitry 

    -- 
Atlantis ISP, System Administrator
e-mail:  dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Dan Langille: "Re: Kerberos 5 Security Alert?"